Malware Analysis Report

2024-10-19 02:41

Sample ID 240311-rcnn5ace41
Target sysvol.exe
SHA256 15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4
Tags
povertystealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4

Threat Level: Known bad

The file sysvol.exe was found to be: Known bad.

Malicious Activity Summary

povertystealer persistence stealer

Poverty Stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect Poverty Stealer Payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

GoLang User-Agent

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 14:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-11 14:03

Reported

2024-03-11 14:37

Platform

win11-20240214-en

Max time kernel

1792s

Max time network

1794s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1292 created 3320 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Windows\Explorer.EXE

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\App = "C:\\Windows\\SysWoW64\\calc.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1292 set thread context of 1804 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif
PID 1804 set thread context of 852 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 1804 set thread context of 1880 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Windows\SysWoW64\calc.exe

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\sysvol.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\sysvol.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\sysvol.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2940 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2940 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2940 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2940 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2940 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2940 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2940 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2940 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2940 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2940 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2940 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2940 wrote to memory of 248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif
PID 2940 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif
PID 2940 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2940 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2940 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1292 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif
PID 1292 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif
PID 1292 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif
PID 1292 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif
PID 1804 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 1804 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 1804 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 1804 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 1804 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 1804 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 1804 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 1804 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 1880 wrote to memory of 4228 N/A C:\Windows\SysWoW64\calc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4228 N/A C:\Windows\SysWoW64\calc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4228 N/A C:\Windows\SysWoW64\calc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\sysvol.exe

"C:\Users\Admin\AppData\Local\Temp\sysvol.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 32540

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond + Alot 32540\Enters.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Disco 32540\r

C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif

32540\Enters.pif 32540\r

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif

C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\SysWoW64\calc.exe\" }"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hRDHAYtAoQH.hRDHAYtAoQH udp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
DE 146.70.169.164:2227 tcp
US 188.114.97.2:443 hostregister.info tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
US 188.114.97.2:443 hostregister.info tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
NL 109.234.39.110:17525 tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp

Files

C:\Users\Admin\AppData\Local\Temp\Bathrooms

MD5 a0d9b89b48e8fc49b82d019ee8500484
SHA1 5ca4d2e68d734e2314bc226f0bd6b5c04e0bdac3
SHA256 f231fe2acf36b89ade78b80eb336650de0e4a7e9bfee25e70bce55a93c77e02a
SHA512 1ac26f3815f4477a1ba6e73fe90587952fda18dd4da2ccd201bb5a36eebbe76270ace8b5f8764e279568ed394e5bdcf9ee10a429ad6c76f9b462c37043034fe5

C:\Users\Admin\AppData\Local\Temp\Richmond

MD5 bc70f3222d729f92658b32a28c6d7375
SHA1 8591ee5231e1efcf3eadc507909ec98b2cf29614
SHA256 5f9ba61683e3b51ca21cb15674306b7c58b62ee68210d96ecf8fb00b1d396a2f
SHA512 10e7738f01e40321e305f89115df545c29a60bad47b91fca651cec8d1dcacb4551c72f838ac0a10f7d5739090d042ac429c85ebced5056809d0251d8c909f3c6

C:\Users\Admin\AppData\Local\Temp\Alot

MD5 0c257b9edbcc7f41af6e1027bc0713ee
SHA1 2149a7bb22476f85610c842c34628b2f22d8a549
SHA256 7ac226e081d090f2e3cb99104b4226fcd5e77cb83f7edb23081c1a2bd376533c
SHA512 f98b584e5112a81336ad4d7f2a1a4066028fc0c9d7a0b5b148172bd4c9a0485983ea868522a61999415837fdbd73401cb703138729e03831dc39bbe6c1f3f25b

C:\Users\Admin\AppData\Local\Temp\Participants

MD5 53c678fa488852a4533e20624a3f4ac2
SHA1 22af659f0f7b6f09e3780ecafa87dff857c29707
SHA256 33f67ac58e056d541e9ffc261620bb6069bc3bdc0690cf6b1b4402cf64476da4
SHA512 79f7f93f9bc6b731bed2a69868cf2451b4c255fda7500914e8a0580b0fa6a8d468b2a2ec27c01f9b007e0addf9b5bc1abd569edeea16496464461cb09cb71fd7

C:\Users\Admin\AppData\Local\Temp\Worm

MD5 1624046c22d7d232e3ad77d456743551
SHA1 6ac978fe79d62baec9626ae3d18e2263ea91ede7
SHA256 0795d6a6fdc1bac55de379cd7f33e4440dc3645e748f91d2b3b4dddf38a8635a
SHA512 da89fc52fab7905d82fd1d9abb92ba53ec5f93f1ed296acab297aeeb8ce0b708052f8b519300926323001274d769b859778fbb7e736375f6e7c196f6287dcdc3

C:\Users\Admin\AppData\Local\Temp\Emotions

MD5 8a83e45fdfd2f28ef8210428fecdef9c
SHA1 db669761c961b72e7771cd8317c582ef8e48ddd1
SHA256 7e9d688abe2dd7d1ac4796a62d9e816d8c3efe719f2de72ce6c49221e027d2a7
SHA512 74dff439e42139117e9d384cb6323039683aaf5c18ed71285eec65d215eb4bf4a4c3e284231f1e7da6af9147606e9ccf13f081fb84f7f311f4e444878a7ab1e2

C:\Users\Admin\AppData\Local\Temp\Disco

MD5 8de31c24cb7fe99ff6348875de7cd146
SHA1 8e2afafc129d1ddfc6de010029bb867f1708c6f6
SHA256 dc30e0b588b256bd593502a28b6ce43f0da029b38fd70408b19b415d219066df
SHA512 6a20368a0cbc03e25fb699815f584727c050f4b583ff8ee467e4a03ce4123c29d2f90dc8a4745831f5bc860b7deaa68a2bc19364c46bfe136956d265539ac133

C:\Users\Admin\AppData\Local\Temp\Injection

MD5 4d21c2eec34495a74f67de9c7944bff3
SHA1 f9241a3fc121e397e23d6f3d07a3ee24b14137c2
SHA256 647a49b0eab7039c74d69e4142ed1be7f01afe9cbd6483d01039cf5b289973da
SHA512 8091201ebe4c08b105e558d2085aed1e90366ce289effa3e2d2a6b51d9364f1f68e3c1d8e54502931800a34d469152bb615e688d7563ac8b299de02c7161110c

C:\Users\Admin\AppData\Local\Temp\Compound

MD5 da2be5607513a22a9d61d9538f5f0636
SHA1 e77975bb6f507b4089409a06ab2226a6d54bfefd
SHA256 640dd32f2764bdb5c0578093a02e828ff53e18d397512a1992bba583d1d2e648
SHA512 1f432b70928e2b41fe74427e086bca411c88710adba700c32bc6089d02684edd04859503269b95bfa64be7439ebbfd41d928d9a464717517db18e68bc3eb63f4

C:\Users\Admin\AppData\Local\Temp\32540\Enters.pif

MD5 bfa84dbde0df8f1cad3e179bd46a6e34
SHA1 06ae3c38d4b2f8125656268925ebde9eca6a1f9e
SHA256 6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314
SHA512 edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a

memory/1292-24-0x00000235CA1A0000-0x00000235CA1A1000-memory.dmp

memory/1804-26-0x0000027449F90000-0x000002744A13C000-memory.dmp

memory/1804-27-0x0000027449F90000-0x000002744A13C000-memory.dmp

memory/1804-29-0x0000027449F90000-0x000002744A13C000-memory.dmp

memory/1804-30-0x0000027449F90000-0x000002744A13C000-memory.dmp

memory/1804-31-0x0000027449F90000-0x000002744A13C000-memory.dmp

memory/1804-32-0x0000027449F90000-0x000002744A13C000-memory.dmp

memory/1804-33-0x0000027449F90000-0x000002744A13C000-memory.dmp

memory/1804-34-0x0000027449F90000-0x000002744A13C000-memory.dmp

memory/1804-35-0x0000027449F90000-0x000002744A13C000-memory.dmp

memory/1804-36-0x0000027449F90000-0x000002744A13C000-memory.dmp

memory/1804-37-0x0000027449F90000-0x000002744A13C000-memory.dmp

memory/1804-39-0x000002744C490000-0x000002744C493000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\THCBA47.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/852-42-0x00000000001C0000-0x00000000001CA000-memory.dmp

memory/852-43-0x0000000000630000-0x0000000000631000-memory.dmp

memory/852-44-0x00000000001C0000-0x00000000001CA000-memory.dmp

memory/4228-48-0x0000000074E00000-0x00000000755B1000-memory.dmp

memory/4228-47-0x0000000003410000-0x0000000003446000-memory.dmp

memory/4228-49-0x0000000003400000-0x0000000003410000-memory.dmp

memory/4228-50-0x0000000005D00000-0x000000000632A000-memory.dmp

memory/4228-51-0x0000000003400000-0x0000000003410000-memory.dmp

memory/4228-52-0x0000000005A30000-0x0000000005A52000-memory.dmp

memory/4228-53-0x0000000006330000-0x0000000006396000-memory.dmp

memory/4228-59-0x00000000063A0000-0x0000000006406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kxnc1dyo.ujr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4228-63-0x00000000064F0000-0x0000000006847000-memory.dmp

memory/4228-64-0x00000000068D0000-0x00000000068EE000-memory.dmp

memory/4228-65-0x0000000006950000-0x000000000699C000-memory.dmp

memory/4228-66-0x0000000007B10000-0x0000000007BA6000-memory.dmp

memory/4228-67-0x0000000006D90000-0x0000000006DAA000-memory.dmp

memory/4228-68-0x0000000006E20000-0x0000000006E42000-memory.dmp

memory/4228-69-0x0000000008160000-0x0000000008706000-memory.dmp

memory/4228-72-0x0000000074E00000-0x00000000755B1000-memory.dmp

memory/1880-73-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-76-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-78-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-81-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-83-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-84-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-85-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-87-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-88-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-89-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-90-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-91-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-93-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-94-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-95-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-96-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-97-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-99-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-100-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-101-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-102-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-103-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-105-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-106-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-107-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-108-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-109-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-111-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-112-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-113-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-114-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-115-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-117-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-118-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-120-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-121-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-122-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-123-0x0000000000520000-0x0000000000D3C000-memory.dmp

memory/1880-124-0x0000000000520000-0x0000000000D3C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 14:03

Reported

2024-03-11 14:35

Platform

win10-20240221-en

Max time kernel

1570s

Max time network

1599s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4564 created 3404 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Windows\Explorer.EXE

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\App = "C:\\Windows\\SysWoW64\\calc.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4564 set thread context of 2672 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif
PID 2672 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2672 set thread context of 2068 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Windows\SysWoW64\calc.exe

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3608 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\sysvol.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\sysvol.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\sysvol.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3412 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3412 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3412 wrote to memory of 420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3412 wrote to memory of 420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3412 wrote to memory of 420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3412 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3412 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3412 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3412 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3412 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3412 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3412 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif
PID 3412 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif
PID 3412 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3412 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3412 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4564 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif
PID 4564 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif
PID 4564 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif
PID 4564 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif
PID 2672 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2672 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2672 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2672 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2672 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2672 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2672 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2672 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2068 wrote to memory of 4308 N/A C:\Windows\SysWoW64\calc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 4308 N/A C:\Windows\SysWoW64\calc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 4308 N/A C:\Windows\SysWoW64\calc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\sysvol.exe

"C:\Users\Admin\AppData\Local\Temp\sysvol.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 32046

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond + Alot 32046\Enters.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Disco 32046\r

C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif

32046\Enters.pif 32046\r

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif

C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\SysWoW64\calc.exe\" }"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hRDHAYtAoQH.hRDHAYtAoQH udp
US 8.8.8.8:53 hostregister.info udp
US 188.114.97.2:443 hostregister.info tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
DE 146.70.169.164:2227 tcp
US 188.114.97.2:443 hostregister.info tcp
US 8.8.8.8:53 164.169.70.146.in-addr.arpa udp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
US 8.8.8.8:53 28.74.142.91.in-addr.arpa udp
US 8.8.8.8:53 38.70.2.195.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
US 188.114.97.2:443 hostregister.info tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
US 188.114.97.2:443 hostregister.info tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
NL 109.234.39.110:20472 tcp
US 8.8.8.8:53 110.39.234.109.in-addr.arpa udp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 8.8.8.8:53 hostregister.info udp
US 104.21.42.126:443 hostregister.info tcp
US 8.8.8.8:53 126.42.21.104.in-addr.arpa udp
US 104.21.42.126:443 hostregister.info tcp
US 104.21.42.126:443 hostregister.info tcp
NL 52.142.223.178:80 tcp
US 104.21.42.126:443 hostregister.info tcp
US 104.21.42.126:443 hostregister.info tcp
US 8.8.8.8:53 hostregister.info udp
US 188.114.96.2:443 hostregister.info tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 8.8.8.8:53 hostregister.info udp
US 172.67.162.8:443 hostregister.info tcp
US 8.8.8.8:53 8.162.67.172.in-addr.arpa udp
US 172.67.162.8:443 hostregister.info tcp
US 8.8.8.8:53 hostregister.info udp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 8.8.8.8:53 hostregister.info udp
US 188.114.97.2:443 hostregister.info tcp
US 8.8.8.8:53 hostregister.info udp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp

Files

C:\Users\Admin\AppData\Local\Temp\Bathrooms

MD5 a0d9b89b48e8fc49b82d019ee8500484
SHA1 5ca4d2e68d734e2314bc226f0bd6b5c04e0bdac3
SHA256 f231fe2acf36b89ade78b80eb336650de0e4a7e9bfee25e70bce55a93c77e02a
SHA512 1ac26f3815f4477a1ba6e73fe90587952fda18dd4da2ccd201bb5a36eebbe76270ace8b5f8764e279568ed394e5bdcf9ee10a429ad6c76f9b462c37043034fe5

C:\Users\Admin\AppData\Local\Temp\Compound

MD5 da2be5607513a22a9d61d9538f5f0636
SHA1 e77975bb6f507b4089409a06ab2226a6d54bfefd
SHA256 640dd32f2764bdb5c0578093a02e828ff53e18d397512a1992bba583d1d2e648
SHA512 1f432b70928e2b41fe74427e086bca411c88710adba700c32bc6089d02684edd04859503269b95bfa64be7439ebbfd41d928d9a464717517db18e68bc3eb63f4

C:\Users\Admin\AppData\Local\Temp\Emotions

MD5 8a83e45fdfd2f28ef8210428fecdef9c
SHA1 db669761c961b72e7771cd8317c582ef8e48ddd1
SHA256 7e9d688abe2dd7d1ac4796a62d9e816d8c3efe719f2de72ce6c49221e027d2a7
SHA512 74dff439e42139117e9d384cb6323039683aaf5c18ed71285eec65d215eb4bf4a4c3e284231f1e7da6af9147606e9ccf13f081fb84f7f311f4e444878a7ab1e2

C:\Users\Admin\AppData\Local\Temp\Injection

MD5 4d21c2eec34495a74f67de9c7944bff3
SHA1 f9241a3fc121e397e23d6f3d07a3ee24b14137c2
SHA256 647a49b0eab7039c74d69e4142ed1be7f01afe9cbd6483d01039cf5b289973da
SHA512 8091201ebe4c08b105e558d2085aed1e90366ce289effa3e2d2a6b51d9364f1f68e3c1d8e54502931800a34d469152bb615e688d7563ac8b299de02c7161110c

C:\Users\Admin\AppData\Local\Temp\Alot

MD5 0c257b9edbcc7f41af6e1027bc0713ee
SHA1 2149a7bb22476f85610c842c34628b2f22d8a549
SHA256 7ac226e081d090f2e3cb99104b4226fcd5e77cb83f7edb23081c1a2bd376533c
SHA512 f98b584e5112a81336ad4d7f2a1a4066028fc0c9d7a0b5b148172bd4c9a0485983ea868522a61999415837fdbd73401cb703138729e03831dc39bbe6c1f3f25b

C:\Users\Admin\AppData\Local\Temp\Richmond

MD5 bc70f3222d729f92658b32a28c6d7375
SHA1 8591ee5231e1efcf3eadc507909ec98b2cf29614
SHA256 5f9ba61683e3b51ca21cb15674306b7c58b62ee68210d96ecf8fb00b1d396a2f
SHA512 10e7738f01e40321e305f89115df545c29a60bad47b91fca651cec8d1dcacb4551c72f838ac0a10f7d5739090d042ac429c85ebced5056809d0251d8c909f3c6

C:\Users\Admin\AppData\Local\Temp\Participants

MD5 53c678fa488852a4533e20624a3f4ac2
SHA1 22af659f0f7b6f09e3780ecafa87dff857c29707
SHA256 33f67ac58e056d541e9ffc261620bb6069bc3bdc0690cf6b1b4402cf64476da4
SHA512 79f7f93f9bc6b731bed2a69868cf2451b4c255fda7500914e8a0580b0fa6a8d468b2a2ec27c01f9b007e0addf9b5bc1abd569edeea16496464461cb09cb71fd7

C:\Users\Admin\AppData\Local\Temp\Disco

MD5 8de31c24cb7fe99ff6348875de7cd146
SHA1 8e2afafc129d1ddfc6de010029bb867f1708c6f6
SHA256 dc30e0b588b256bd593502a28b6ce43f0da029b38fd70408b19b415d219066df
SHA512 6a20368a0cbc03e25fb699815f584727c050f4b583ff8ee467e4a03ce4123c29d2f90dc8a4745831f5bc860b7deaa68a2bc19364c46bfe136956d265539ac133

C:\Users\Admin\AppData\Local\Temp\Worm

MD5 1624046c22d7d232e3ad77d456743551
SHA1 6ac978fe79d62baec9626ae3d18e2263ea91ede7
SHA256 0795d6a6fdc1bac55de379cd7f33e4440dc3645e748f91d2b3b4dddf38a8635a
SHA512 da89fc52fab7905d82fd1d9abb92ba53ec5f93f1ed296acab297aeeb8ce0b708052f8b519300926323001274d769b859778fbb7e736375f6e7c196f6287dcdc3

C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif

MD5 bfa84dbde0df8f1cad3e179bd46a6e34
SHA1 06ae3c38d4b2f8125656268925ebde9eca6a1f9e
SHA256 6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314
SHA512 edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a

memory/4564-24-0x000001E6503F0000-0x000001E6503F1000-memory.dmp

memory/2672-26-0x000001EA2E850000-0x000001EA2E9FC000-memory.dmp

memory/2672-27-0x000001EA2E850000-0x000001EA2E9FC000-memory.dmp

memory/2672-29-0x000001EA2E850000-0x000001EA2E9FC000-memory.dmp

memory/2672-30-0x000001EA2E850000-0x000001EA2E9FC000-memory.dmp

memory/2672-31-0x000001EA2E850000-0x000001EA2E9FC000-memory.dmp

memory/2672-32-0x000001EA2E850000-0x000001EA2E9FC000-memory.dmp

memory/2672-33-0x000001EA2E850000-0x000001EA2E9FC000-memory.dmp

memory/2672-34-0x000001EA2E850000-0x000001EA2E9FC000-memory.dmp

memory/2672-35-0x000001EA2E850000-0x000001EA2E9FC000-memory.dmp

memory/2672-36-0x000001EA2E850000-0x000001EA2E9FC000-memory.dmp

memory/2672-37-0x000001EA2E850000-0x000001EA2E9FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif

MD5 bde17ad7c1841f36662a1241e1b6b128
SHA1 ce2f0b19da0651edbc1ec39da4b2c487970206aa
SHA256 48bd22986a35562067231d88f73f6a695290ae77fe09865ad1e94807f019fc72
SHA512 f24a5aa2c8609271c8b26c0eaf8a7d09b1697e969a4cb4b6c9b03858f98b681d52dac6fa2817ff20e00c5748007840180be59273296ca1be4f94bbfa173b2260

memory/2672-39-0x000001EA2ED80000-0x000001EA2ED83000-memory.dmp

\Users\Admin\AppData\Local\Temp\THC819F.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2492-44-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/2492-45-0x0000000000220000-0x000000000022A000-memory.dmp

memory/2068-48-0x0000000000820000-0x000000000103C000-memory.dmp

memory/4308-54-0x0000000006450000-0x0000000006486000-memory.dmp

memory/4308-55-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/4308-56-0x00000000065D0000-0x00000000065E0000-memory.dmp

memory/4308-57-0x00000000065D0000-0x00000000065E0000-memory.dmp

memory/4308-58-0x0000000006C10000-0x0000000007238000-memory.dmp

memory/4308-59-0x0000000006A80000-0x0000000006AA2000-memory.dmp

memory/4308-60-0x00000000072B0000-0x0000000007316000-memory.dmp

memory/4308-61-0x0000000007320000-0x0000000007386000-memory.dmp

memory/4308-62-0x0000000007640000-0x0000000007990000-memory.dmp

memory/4308-65-0x0000000007390000-0x00000000073AC000-memory.dmp

memory/4308-66-0x0000000007E40000-0x0000000007E8B000-memory.dmp

memory/4308-67-0x0000000007BD0000-0x0000000007C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i4lbdxkj.14m.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4308-82-0x0000000008AD0000-0x0000000008B64000-memory.dmp

memory/4308-83-0x0000000008A00000-0x0000000008A1A000-memory.dmp

memory/4308-84-0x0000000008A60000-0x0000000008A82000-memory.dmp

memory/4308-85-0x0000000009320000-0x000000000981E000-memory.dmp

memory/4308-88-0x00000000065D0000-0x00000000065E0000-memory.dmp

memory/4308-92-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/2068-93-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-94-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-98-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-99-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-101-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-104-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-105-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-109-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-111-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-112-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-113-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-115-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-116-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-117-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-118-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-119-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-121-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-122-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-123-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-124-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-125-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-127-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-128-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-130-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-131-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-133-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-134-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-136-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-137-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-138-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-140-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-142-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-143-0x0000000000820000-0x000000000103C000-memory.dmp

memory/2068-144-0x0000000000820000-0x000000000103C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 14:03

Reported

2024-03-11 14:35

Platform

win10v2004-20231215-en

Max time kernel

1764s

Max time network

1771s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2232 created 3468 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sysvol.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\App = "C:\\Windows\\SysWoW64\\calc.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2232 set thread context of 2956 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif
PID 2956 set thread context of 3672 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2956 set thread context of 5008 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Windows\SysWoW64\calc.exe

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\sysvol.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\sysvol.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\sysvol.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3600 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3600 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3600 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3600 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3600 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3600 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3600 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3600 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3600 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3600 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3600 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3600 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif
PID 3600 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif
PID 3600 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3600 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3600 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2232 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif
PID 2232 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif
PID 2232 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif
PID 2232 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif
PID 2956 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2956 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2956 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2956 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2956 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2956 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2956 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 2956 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif C:\Windows\SysWoW64\calc.exe
PID 5008 wrote to memory of 2720 N/A C:\Windows\SysWoW64\calc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 2720 N/A C:\Windows\SysWoW64\calc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 2720 N/A C:\Windows\SysWoW64\calc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\sysvol.exe

"C:\Users\Admin\AppData\Local\Temp\sysvol.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 32216

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond + Alot 32216\Enters.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Disco 32216\r

C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif

32216\Enters.pif 32216\r

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif

C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWoW64\calc.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\SysWoW64\calc.exe\" }"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 hRDHAYtAoQH.hRDHAYtAoQH udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 hostregister.info udp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
DE 146.70.169.164:2227 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 164.169.70.146.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 188.114.97.2:443 hostregister.info tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
US 8.8.8.8:53 38.70.2.195.in-addr.arpa udp
US 8.8.8.8:53 28.74.142.91.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 188.114.97.2:443 hostregister.info tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 188.114.97.2:443 hostregister.info tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
US 188.114.97.2:443 hostregister.info tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
US 188.114.97.2:443 hostregister.info tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
RU 91.142.74.28:30001 91.142.74.28 tcp
US 8.8.8.8:53 hostregister.info udp
US 104.21.42.126:443 hostregister.info tcp
US 8.8.8.8:53 126.42.21.104.in-addr.arpa udp
US 104.21.42.126:443 hostregister.info tcp
US 104.21.42.126:443 hostregister.info tcp
US 104.21.42.126:443 hostregister.info tcp
US 104.21.42.126:443 hostregister.info tcp
US 8.8.8.8:53 hostregister.info udp
US 172.67.162.8:443 hostregister.info tcp
US 8.8.8.8:53 8.162.67.172.in-addr.arpa udp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 8.8.8.8:53 hostregister.info udp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 172.67.162.8:443 hostregister.info tcp
US 8.8.8.8:53 hostregister.info udp
US 188.114.96.2:443 hostregister.info tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 188.114.96.2:443 hostregister.info tcp
US 8.8.8.8:53 hostregister.info udp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp
US 188.114.97.2:443 hostregister.info tcp

Files

C:\Users\Admin\AppData\Local\Temp\Bathrooms

MD5 a0d9b89b48e8fc49b82d019ee8500484
SHA1 5ca4d2e68d734e2314bc226f0bd6b5c04e0bdac3
SHA256 f231fe2acf36b89ade78b80eb336650de0e4a7e9bfee25e70bce55a93c77e02a
SHA512 1ac26f3815f4477a1ba6e73fe90587952fda18dd4da2ccd201bb5a36eebbe76270ace8b5f8764e279568ed394e5bdcf9ee10a429ad6c76f9b462c37043034fe5

C:\Users\Admin\AppData\Local\Temp\Injection

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Compound

MD5 da2be5607513a22a9d61d9538f5f0636
SHA1 e77975bb6f507b4089409a06ab2226a6d54bfefd
SHA256 640dd32f2764bdb5c0578093a02e828ff53e18d397512a1992bba583d1d2e648
SHA512 1f432b70928e2b41fe74427e086bca411c88710adba700c32bc6089d02684edd04859503269b95bfa64be7439ebbfd41d928d9a464717517db18e68bc3eb63f4

C:\Users\Admin\AppData\Local\Temp\Alot

MD5 0c257b9edbcc7f41af6e1027bc0713ee
SHA1 2149a7bb22476f85610c842c34628b2f22d8a549
SHA256 7ac226e081d090f2e3cb99104b4226fcd5e77cb83f7edb23081c1a2bd376533c
SHA512 f98b584e5112a81336ad4d7f2a1a4066028fc0c9d7a0b5b148172bd4c9a0485983ea868522a61999415837fdbd73401cb703138729e03831dc39bbe6c1f3f25b

C:\Users\Admin\AppData\Local\Temp\Disco

MD5 106d5bf8c747cb5a0310ae87bf9902c7
SHA1 53e0bd09597e96ebd71b15ff01b5b7567df489b4
SHA256 d3d61b430f7e8e91c29107888c3aba78644fde65468df3f4cd3ea771dac1af62
SHA512 bfb6d6bf78ae67d292701eee4408dd2064b3ab6c81426002900823847f1c74cceaf54ca32ee11db9b69d1dbffa5cf89d71809f195701a09294fb49c8639162b4

C:\Users\Admin\AppData\Local\Temp\Richmond

MD5 23293056e8c481306987d68f78e88202
SHA1 64f34b9647f0433567e2e364f283cd228acf3d5f
SHA256 bff15ce4016dfb6ce301818c7507d9abd218217d17dd07fa1823c06832ba7d97
SHA512 10e77ba73f9696a0a36144261ef901ba0ac329a465d5b20e9f8e77e7b5fb1de60adde593458d6752eaa2ae0b1c6298618eabbdba8f82f48a7773d54c25b2e570

C:\Users\Admin\AppData\Local\Temp\Participants

MD5 53c678fa488852a4533e20624a3f4ac2
SHA1 22af659f0f7b6f09e3780ecafa87dff857c29707
SHA256 33f67ac58e056d541e9ffc261620bb6069bc3bdc0690cf6b1b4402cf64476da4
SHA512 79f7f93f9bc6b731bed2a69868cf2451b4c255fda7500914e8a0580b0fa6a8d468b2a2ec27c01f9b007e0addf9b5bc1abd569edeea16496464461cb09cb71fd7

C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif

MD5 bfa84dbde0df8f1cad3e179bd46a6e34
SHA1 06ae3c38d4b2f8125656268925ebde9eca6a1f9e
SHA256 6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314
SHA512 edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a

C:\Users\Admin\AppData\Local\Temp\Worm

MD5 1624046c22d7d232e3ad77d456743551
SHA1 6ac978fe79d62baec9626ae3d18e2263ea91ede7
SHA256 0795d6a6fdc1bac55de379cd7f33e4440dc3645e748f91d2b3b4dddf38a8635a
SHA512 da89fc52fab7905d82fd1d9abb92ba53ec5f93f1ed296acab297aeeb8ce0b708052f8b519300926323001274d769b859778fbb7e736375f6e7c196f6287dcdc3

C:\Users\Admin\AppData\Local\Temp\Emotions

MD5 8a83e45fdfd2f28ef8210428fecdef9c
SHA1 db669761c961b72e7771cd8317c582ef8e48ddd1
SHA256 7e9d688abe2dd7d1ac4796a62d9e816d8c3efe719f2de72ce6c49221e027d2a7
SHA512 74dff439e42139117e9d384cb6323039683aaf5c18ed71285eec65d215eb4bf4a4c3e284231f1e7da6af9147606e9ccf13f081fb84f7f311f4e444878a7ab1e2

C:\Users\Admin\AppData\Local\Temp\32216\r

MD5 8de31c24cb7fe99ff6348875de7cd146
SHA1 8e2afafc129d1ddfc6de010029bb867f1708c6f6
SHA256 dc30e0b588b256bd593502a28b6ce43f0da029b38fd70408b19b415d219066df
SHA512 6a20368a0cbc03e25fb699815f584727c050f4b583ff8ee467e4a03ce4123c29d2f90dc8a4745831f5bc860b7deaa68a2bc19364c46bfe136956d265539ac133

memory/2232-24-0x000001E4C9290000-0x000001E4C9291000-memory.dmp

memory/2956-26-0x0000027F12590000-0x0000027F1273C000-memory.dmp

memory/2956-27-0x0000027F12590000-0x0000027F1273C000-memory.dmp

memory/2956-29-0x0000027F12590000-0x0000027F1273C000-memory.dmp

memory/2956-30-0x0000027F12590000-0x0000027F1273C000-memory.dmp

memory/2956-31-0x0000027F12590000-0x0000027F1273C000-memory.dmp

memory/2956-32-0x0000027F12590000-0x0000027F1273C000-memory.dmp

memory/2956-33-0x0000027F12590000-0x0000027F1273C000-memory.dmp

memory/2956-34-0x0000027F12590000-0x0000027F1273C000-memory.dmp

memory/2956-35-0x0000027F12590000-0x0000027F1273C000-memory.dmp

memory/2956-36-0x0000027F12590000-0x0000027F1273C000-memory.dmp

memory/2956-37-0x0000027F12590000-0x0000027F1273C000-memory.dmp

memory/2956-40-0x0000027F129E0000-0x0000027F129E3000-memory.dmp

memory/3672-42-0x0000000000620000-0x0000000000621000-memory.dmp

memory/3672-43-0x0000000000390000-0x000000000039A000-memory.dmp

memory/5008-46-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/2720-48-0x0000000000AA0000-0x0000000000AD6000-memory.dmp

memory/2720-49-0x00000000743B0000-0x0000000074B60000-memory.dmp

memory/2720-50-0x0000000000B80000-0x0000000000B90000-memory.dmp

memory/2720-51-0x0000000004C10000-0x0000000005238000-memory.dmp

memory/2720-52-0x0000000005270000-0x0000000005292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xtuxvypr.tbm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2720-53-0x0000000005310000-0x0000000005376000-memory.dmp

memory/2720-63-0x00000000054F0000-0x0000000005556000-memory.dmp

memory/2720-64-0x0000000005610000-0x0000000005964000-memory.dmp

memory/2720-65-0x00000000059E0000-0x00000000059FE000-memory.dmp

memory/2720-66-0x0000000005A00000-0x0000000005A4C000-memory.dmp

memory/2720-67-0x0000000006B80000-0x0000000006C16000-memory.dmp

memory/2720-68-0x0000000005EC0000-0x0000000005EDA000-memory.dmp

memory/2720-69-0x0000000005F40000-0x0000000005F62000-memory.dmp

memory/2720-70-0x00000000071D0000-0x0000000007774000-memory.dmp

memory/2720-73-0x00000000743B0000-0x0000000074B60000-memory.dmp

memory/5008-74-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-78-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-79-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-81-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-84-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-87-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-88-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-90-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-91-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-93-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-96-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-97-0x0000000000A00000-0x000000000121C000-memory.dmp

memory/5008-99-0x0000000000A00000-0x000000000121C000-memory.dmp