Analysis Overview
SHA256
6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b
Threat Level: Known bad
The file LastActivityView.exe was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
xmrig
Xworm family
Detect Xworm Payload
Xworm
Umbral
XMRig Miner payload
Creates new service(s)
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Stops running service(s)
Reads user/profile data of web browsers
Drops startup file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Modifies data under HKEY_USERS
Detects videocard installed
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Runs ping.exe
Views/modifies file attributes
Enumerates system info in registry
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-06 22:18
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-06 22:18
Reported
2024-05-06 22:21
Platform
win7-20240215-en
Max time kernel
132s
Max time network
147s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe | N/A |
Stops running service(s)
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe | N/A |
| N/A | N/A | C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\haoqla.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052 = "C:\\ProgramData\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe" | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\haoqla.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40532fa903a0da01 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe
"C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LastActivityView.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052" /tr "C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {4B9DD97F-64F5-4011-84F4-6DDC103A5D24} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe
"C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe"
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\Users\Admin\AppData\Local\Temp\haoqla.exe
"C:\Users\Admin\AppData\Local\Temp\haoqla.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "XLZQHCLS"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "XLZQHCLS" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "XLZQHCLS"
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 3.126.37.18:16861 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.126.37.18:16861 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.126.37.18:16861 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.201.99:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
Files
memory/1956-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp
memory/1956-1-0x0000000000A60000-0x0000000000A7C000-memory.dmp
memory/1956-2-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp
memory/2500-7-0x0000000002B60000-0x0000000002BE0000-memory.dmp
memory/2500-8-0x000000001B690000-0x000000001B972000-memory.dmp
memory/2500-9-0x0000000002320000-0x0000000002328000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | df16b737d2b17300089b7929e770638e |
| SHA1 | 058b36d7f1d1157957194779deb8c0f1c488f4b9 |
| SHA256 | 3fcd827dde75838ff8ba78aed57a9441037a835299643dfc88e2c6188dd54201 |
| SHA512 | 429411fbba4ec21e8128a89f2f8afdad747e81cccc19f76647e55fe0ab12c7aec87ec6b647820bd2dfb701cdf3fad0e29a192876cf852e7b920eba5542309de4 |
memory/2936-15-0x000000001B620000-0x000000001B902000-memory.dmp
memory/2936-16-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
| MD5 | 499e35df562563babfff6a1d2ee71743 |
| SHA1 | 7bece5115d9df1fa43b6a7a69f9574a498388960 |
| SHA256 | 6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b |
| SHA512 | 2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377 |
memory/1004-36-0x0000000000280000-0x000000000029C000-memory.dmp
memory/1956-37-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp
memory/1956-38-0x0000000002280000-0x000000000228C000-memory.dmp
memory/1956-39-0x0000000002290000-0x000000000229C000-memory.dmp
memory/1956-40-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe
| MD5 | f94e3703ca371767d93f5a88b74fbee7 |
| SHA1 | 80530e8ffb3fc7d2c36e339b70bcae0d0014b7f5 |
| SHA256 | 954af7a9095306263dce0c4d05eda925de49041ad6ea7c37a23fed8cbc97f1d7 |
| SHA512 | ca0ba2f5a26a26eeb0e15a5b99be937b7d695411f043b1629ef10f7106f26a1096229f763b0ab86796d8f37efc62f469e399206d7a8c706e4043112269f01066 |
memory/2216-46-0x0000000000D20000-0x0000000000D60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d65b4e32aabe27e536fa6e022e261898 |
| SHA1 | eac588b8baae14e1630ff26986b7438442c73e35 |
| SHA256 | 99290594f3ab6c8513111ceb80dce67ccee67576226332bbade94175c984b393 |
| SHA512 | 9862a621bc0db50d24fed9f533437138305b07d4356f285cb7e6df0110c67c184bac1e2bf6e2fcd759e306ee886936bdccb6b2713d12eb6a279e629990da532d |
memory/1848-89-0x0000000000070000-0x000000000008C000-memory.dmp
\Users\Admin\AppData\Local\Temp\haoqla.exe
| MD5 | 130df035c0e6dff9670a1ac38a05c575 |
| SHA1 | 4b92ff37f74367e9f061a14234afeb78996b3dde |
| SHA256 | 3456657a4b93eae6c909e3fbd9db371198fa8accc9b5317bc0bbc1eaf105f8ce |
| SHA512 | eb8dd85776a71956eeb396c34ded4714160f22cba111989d94f39d853551e5b1e0fa064003bee3ec0b07cfe58b5e8f6728bd54d706b7a6b3833f73b797ca6fa4 |
memory/2672-101-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2672-102-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2904-108-0x0000000001FB0000-0x0000000001FB8000-memory.dmp
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
| MD5 | 66e7e13f5174dd1558fe12d6eab50b0d |
| SHA1 | f1ef209c02c2b4e7aa4d1e99068e3e9fe45b51e9 |
| SHA256 | 326135f25eff5cc8f0ec045467a24a326e88745c0efaa03ff04d220ea4b13105 |
| SHA512 | b941640c71070b164d7f5b92a6ccffb4c2b69c45d54bb083f0dc7d9fed098618fd7ed4cf245aeba435bdbef13b844f3dccf4a4b1a576edacecb631255da0b1cb |
memory/1780-113-0x00000000009A0000-0x00000000009A8000-memory.dmp
\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
| MD5 | c379ea878a21194d58e8a4303cd69ef9 |
| SHA1 | 1dd404638a2357ace1313ea747e7e3a76ac0790b |
| SHA256 | 4350529c8e25e931298764dfec8d72302ca1a8038bc2f5f1054527f1cef0c412 |
| SHA512 | f12802ca704490ac6a658841e21627252bc69b5c5b84a21acc0aa67052c0e439e2a6da11ef77857896088d5eef22e33fac94de860b93dff6065d9a1ea6f9b902 |
\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
| MD5 | c67da1302d15ac126dd83ad15feae07c |
| SHA1 | 97d0354b914da35ec3a0a82e4517437377f6d7b6 |
| SHA256 | 7d6e3af82cc409217b54fa431084ee6195087e0f8e7c236dc93b38957bad1baf |
| SHA512 | 23e1448c6f538637f6aec33cee9050499f0b70fca9308244161572f920e6fc678fc9ae814b813e4af95f6be1589da31eae0c8b9d5780f67b0dd469ac91117f7a |
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
| MD5 | 1694a7e94cdbb7b4bbdcc7d39db9665c |
| SHA1 | d9edcbc7848ec39abf724c9e9e0da6475eed1e91 |
| SHA256 | 66dcd34feca9880f03d1486f9ad8ca02c3760669b23ef17afb65ab620dfc49c0 |
| SHA512 | 7b4d6e4bf038721535a83d97fe060bcc56972ad732a6fbd4a66acfaec998eb8aed91f376b09437269bcbac120bd39ca89e5f4bc8eade293faeaaff07943ac436 |
memory/1548-122-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1548-119-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1548-120-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1548-117-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2992-126-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-128-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-136-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-135-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-131-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-130-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-134-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-127-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-133-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-132-0x0000000000140000-0x0000000000160000-memory.dmp
memory/2992-129-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-125-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1548-124-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1548-118-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2992-137-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-138-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2992-139-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2152-141-0x00000000001D0000-0x00000000001EC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-06 22:18
Reported
2024-05-06 22:21
Platform
win10v2004-20240419-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe | N/A |
| N/A | N/A | C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe | N/A |
| N/A | N/A | C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052 = "C:\\ProgramData\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe" | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe
"C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LastActivityView.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052" /tr "C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe"
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| BE | 88.221.83.210:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 3.126.37.18:16861 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 18.37.126.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/800-0-0x0000000000220000-0x000000000023C000-memory.dmp
memory/800-1-0x00007FFCA4693000-0x00007FFCA4695000-memory.dmp
memory/800-2-0x00007FFCA4690000-0x00007FFCA5151000-memory.dmp
memory/116-3-0x0000022FB5790000-0x0000022FB57B2000-memory.dmp
memory/116-9-0x00007FFCA4690000-0x00007FFCA5151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5in1queh.cmy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/116-14-0x00007FFCA4690000-0x00007FFCA5151000-memory.dmp
memory/116-15-0x00007FFCA4690000-0x00007FFCA5151000-memory.dmp
memory/116-18-0x00007FFCA4690000-0x00007FFCA5151000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e60eb305a7b2d9907488068b7065abd3 |
| SHA1 | 1643dd7f915ac50c75bc01c53d68c5dafb9ce28d |
| SHA256 | ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135 |
| SHA512 | 95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba169f4dcbbf147fe78ef0061a95e83b |
| SHA1 | 92a571a6eef49fff666e0f62a3545bcd1cdcda67 |
| SHA256 | 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1 |
| SHA512 | 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c |
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
| MD5 | 499e35df562563babfff6a1d2ee71743 |
| SHA1 | 7bece5115d9df1fa43b6a7a69f9574a498388960 |
| SHA256 | 6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b |
| SHA512 | 2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377 |
memory/800-59-0x00007FFCA4693000-0x00007FFCA4695000-memory.dmp
memory/800-61-0x00007FFCA4690000-0x00007FFCA5151000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |