Malware Analysis Report

2024-11-16 13:37

Sample ID 240530-mv7shaef5t
Target 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
SHA256 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

Threat Level: Known bad

The file 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 10:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 10:48

Reported

2024-05-30 10:50

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\ProgramData\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\ProgramData\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe" C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 2012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 2012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 2012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 2012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 2012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 2012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 2012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 2120 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1404 wrote to memory of 4148 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 4148 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 4148 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 1996 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 1996 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 1996 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 5112 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1404 wrote to memory of 5112 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1404 wrote to memory of 5112 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1404 wrote to memory of 228 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1404 wrote to memory of 228 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1404 wrote to memory of 228 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1404 wrote to memory of 228 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1404 wrote to memory of 228 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1404 wrote to memory of 228 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1404 wrote to memory of 228 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1404 wrote to memory of 228 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 388 wrote to memory of 4816 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 388 wrote to memory of 4816 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 388 wrote to memory of 4816 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 388 wrote to memory of 4524 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 388 wrote to memory of 4524 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 388 wrote to memory of 4524 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 388 wrote to memory of 4712 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 388 wrote to memory of 4712 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 388 wrote to memory of 4712 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 388 wrote to memory of 2324 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 388 wrote to memory of 2324 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 388 wrote to memory of 2324 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 388 wrote to memory of 2324 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 388 wrote to memory of 2324 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 388 wrote to memory of 2324 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1DD4.tmp"

C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"

C:\ProgramData\cmd.exe

C:\ProgramData\cmd.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC94.tmp"

C:\ProgramData\cmd.exe

"C:\ProgramData\cmd.exe"

C:\ProgramData\cmd.exe

C:\ProgramData\cmd.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA30C.tmp"

C:\ProgramData\cmd.exe

"C:\ProgramData\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.137:443 www.bing.com tcp
US 8.8.8.8:53 137.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 lubriaceites.com udp
US 212.1.210.79:443 lubriaceites.com tcp
US 8.8.8.8:53 79.210.1.212.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 beshomandotestbesnd.run.place udp
US 45.88.186.125:7000 beshomandotestbesnd.run.place tcp
US 8.8.8.8:53 125.186.88.45.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 212.1.210.79:443 lubriaceites.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 212.1.210.79:443 lubriaceites.com tcp

Files

memory/2012-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

memory/2012-1-0x0000000000310000-0x0000000000398000-memory.dmp

memory/2012-2-0x0000000005250000-0x00000000057F4000-memory.dmp

memory/2012-3-0x0000000004CA0000-0x0000000004D32000-memory.dmp

memory/2012-4-0x0000000004C50000-0x0000000004C5A000-memory.dmp

memory/2012-5-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/2012-6-0x0000000004E50000-0x0000000004E6A000-memory.dmp

memory/2012-7-0x0000000004E70000-0x0000000004E80000-memory.dmp

memory/2012-8-0x0000000006120000-0x000000000617A000-memory.dmp

memory/2012-9-0x0000000008C10000-0x0000000008CAC000-memory.dmp

memory/4292-10-0x0000000002620000-0x0000000002656000-memory.dmp

memory/4292-11-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/4292-12-0x0000000005060000-0x0000000005688000-memory.dmp

memory/4292-13-0x00000000056E0000-0x0000000005702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5ytugco.fwl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4292-20-0x00000000058F0000-0x0000000005956000-memory.dmp

memory/4292-19-0x0000000005880000-0x00000000058E6000-memory.dmp

memory/4292-21-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/4292-26-0x0000000005A60000-0x0000000005DB4000-memory.dmp

memory/4292-27-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/4292-28-0x0000000005F50000-0x0000000005F6E000-memory.dmp

memory/4292-30-0x0000000005FE0000-0x000000000602C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 a58e024a498d2d65891d53c48db4359c
SHA1 22baf45820cf21b769debfa98d4afcf2b7306161
SHA256 38cce372b260b28b834ccf81a6628bfe43f449c3a391e1ad7913efe33162230a
SHA512 3d99f7fa228d27499eab0343622eec0d54e45d40a2828cd10349155d35a26a3d1220c1bfcbc8f6507c44db9a034dcfc0e0bb6b06bbbd2e786a399a89cfce3500

C:\Users\Admin\AppData\Local\Temp\tmp1DD4.tmp

MD5 80e59a8b52173ac74b711bc8a50c85be
SHA1 931d8a1b799b6537bec2a980952a1b553732d5ae
SHA256 b669b5a788b72fcf3993906424a416f4e3c4e20ecb7cb7fad9b7796f85d0f320
SHA512 8394be8a38f83b87092031714cc71837033b879462bdfab41605a1a9a51e641215d521473612757f38b6e21b930cc5fe43545dc6de2a2c8bc96e0b9e00d5229e

memory/2120-44-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2012-51-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/4292-57-0x000000006F6B0000-0x000000006F6FC000-memory.dmp

memory/4292-68-0x0000000007130000-0x00000000071D3000-memory.dmp

memory/4292-67-0x0000000006F10000-0x0000000006F2E000-memory.dmp

memory/4292-56-0x0000000006510000-0x0000000006542000-memory.dmp

memory/4292-69-0x00000000078B0000-0x0000000007F2A000-memory.dmp

memory/4292-70-0x0000000007270000-0x000000000728A000-memory.dmp

memory/4292-71-0x00000000072E0000-0x00000000072EA000-memory.dmp

memory/1564-72-0x000000006F6B0000-0x000000006F6FC000-memory.dmp

memory/4292-82-0x00000000074F0000-0x0000000007586000-memory.dmp

memory/1564-83-0x0000000007390000-0x00000000073A1000-memory.dmp

memory/4292-84-0x00000000074A0000-0x00000000074AE000-memory.dmp

memory/1564-85-0x00000000073D0000-0x00000000073E4000-memory.dmp

memory/1564-86-0x00000000074D0000-0x00000000074EA000-memory.dmp

memory/4292-87-0x0000000007590000-0x0000000007598000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d93e9b3b1828d167b45a70a3d585191
SHA1 293da9aab3091897ca5580f7aae9d77cdc11a2b2
SHA256 80fe0d5a7ae8fe54487d23b2521ef26a04abd7dff54cfe1930bcccee0f2d66d0
SHA512 0f96c187c97a435856ad9514e429b67628ead7c44b78886ab0229ff36db0069d12511ca07017e508e16cd588888b5b634c5a7c0b910cd452f232acd3f364cb98

memory/4292-93-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/2948-103-0x0000000006300000-0x0000000006654000-memory.dmp

memory/2948-105-0x0000000006AE0000-0x0000000006B2C000-memory.dmp

memory/2948-106-0x00000000702A0000-0x00000000702EC000-memory.dmp

memory/2948-116-0x0000000007BF0000-0x0000000007C93000-memory.dmp

memory/2948-117-0x0000000007EA0000-0x0000000007EB1000-memory.dmp

memory/2948-118-0x0000000007EF0000-0x0000000007F04000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4311ae8171a1b4b6f3112bd3e242841d
SHA1 79bc53d0cc2de993934c92bf8aa8cae2805240d1
SHA256 fbd07a3f61985b3e073181648352c65673ccc25b88605fdf5712db50a162763b
SHA512 f2f431a04317b3dfe48fb41a97d2e63120e3c8dfe5cf4fccb289d593d4e4f2c6e0d7d110b166ea40d04a137027199da95041d99102bf4966035f6154cc43512c

memory/1832-130-0x00000000702A0000-0x00000000702EC000-memory.dmp

memory/3296-150-0x0000000006190000-0x00000000064E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f37a5347c5e0303f901aa11f16889f2c
SHA1 fc18b5e5c7ba9ec1bb6a6767b33c27483b30076d
SHA256 200639109561a487d0f32220ca00f20bca9006e23515c83e2eea4fc9670993fa
SHA512 9089ad71d140240493c94a8fe341c828bfcb9e975598c26118a287688283da4010a5d2aceec755ff3b29f8054df07ba0abfdae8b86663388b77bb407b441a1c8

memory/3296-152-0x00000000702A0000-0x00000000702EC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c0f92d8499fcb499af77ae87dd1db298
SHA1 213943a776a71477968630cdf186d96d5e483ed0
SHA256 1ab10190fb93b1e5686e6fe58f282a9bc57661efb02804a429e40a71387b54de
SHA512 879d04940152cbb1b14a737a8511a2f8d603291b770533242335cdcfb089c698d0e29ac10d86f6f875ca11a0932fc92774010c45227a2b797cb8f87069506982

memory/3960-173-0x00000000702A0000-0x00000000702EC000-memory.dmp

C:\ProgramData\cmd.exe

MD5 148b2c38cf0726535d760a703f803c80
SHA1 107503ca149f547d4745fe9b9a3fbae03d60126c
SHA256 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
SHA512 6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

memory/4148-191-0x00000000057D0000-0x0000000005B24000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b2ce37edad0a562c40c60e2d49b96254
SHA1 eb28bcd9d384eb37b2ce9dde9fa09246477c992d
SHA256 34bd2daa5eb370cafe05f7b0273a95d2324c8f3506a8f9c8e2c45ab667959b9b
SHA512 a04051636a503fe31f0b3dfb1f88902dc47f9a61352251ab7533684a3a4119e791673cf3827bdf1342fe494b35c3d24540ece6925224092985c91201490410f1

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 47a1349d06eae691dabf98cc933f2e0f
SHA1 ce62a5aa67e8c167aa0b6b64ecbdac7d29f4730b
SHA256 4b91eb0a8142ae93d284d57613f21a8112fcbea026dbf4e810cf130d0ed51bcd
SHA512 5d9ad8bc9340ed851cf2a76158cb91b122e1bd52322fc131bb49a1c959e628197aad3cc56f215c9488ea161f9137dab0ad8ed6cffc87726447b662e2830eb92e

memory/4148-211-0x0000000005E60000-0x0000000005EAC000-memory.dmp

memory/4148-226-0x000000006EF00000-0x000000006EF4C000-memory.dmp

memory/4148-236-0x0000000007080000-0x0000000007123000-memory.dmp

memory/4148-237-0x0000000007360000-0x0000000007371000-memory.dmp

memory/4148-238-0x00000000073A0000-0x00000000073B4000-memory.dmp

memory/1996-239-0x000000006EF00000-0x000000006EF4C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cmd.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5a63b093c01b02ea37355b389a0bd7df
SHA1 c25eba0c42312d79dcccba8c67e9ff8ccaea7dc0
SHA256 99d6f796bb03d36a78a2e37d059f209baa0541b26ae23efe596bfdae5e428f14
SHA512 21e0cd7568d8264d78b7d852a5d18eeab8680e6c7a865a8aa7459f7dca497ccd942558150077357938de43348bfd4498a0fc5c8bf05a5e05b2e16ae91cd9c438

memory/4816-265-0x0000000006210000-0x0000000006564000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 116d4b6595f977aa65acc5d1b2c09cba
SHA1 c52ff1e93b089098fc153bc3f5ad4ad6ac145fc6
SHA256 fd876fd6736d858e9eacb67db89079cc3392b69ef8f443be6fddcdf8ad78a1d2
SHA512 3d76df969e17092aecfa364b8ff29ec3d33823d43d2b4152917a7197d668f9645ddc91dbfce30ad255efd6533c0dfb9cc9910f6d228c2fb9115914d662e329fd

memory/4816-267-0x0000000006CE0000-0x0000000006D2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 c61ec9a30fca46b0b8f3edb41b0e0bde
SHA1 508f13282b4d41009f60dddc939246bb41c5beb6
SHA256 4972ec42fe96e910399b8323b6af5f8a80a966ea567e8d6ee08558c6c750b15b
SHA512 b2dc4c652e4e5388cd00e6ad041fc639ab2c82f25bed82b12bf3d4f685985f3a0e1b73c83d99e872d4149fbc59a161b285a4c0f2ba3b3c6a6cb3fba80f6936f6

memory/4816-290-0x000000006EFA0000-0x000000006EFEC000-memory.dmp

memory/4524-300-0x000000006EFA0000-0x000000006EFEC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9ac4f0123bc33d81d3f59f95955c457e
SHA1 09f0880a463c8ce183c8b32b28d283a9e2bcc246
SHA256 45811a97c9afbac5faadb5c5e0f6340fc8f7781aa3f013df0efff9eb9e24d23f
SHA512 c9f25f716bd7848c1497f26b2e0a362f1ed641ebc45bbbc24a88d0b9c2cfec2a8df40a44471b4a2c1b1771d8b62ceed67b4276e5d7dbde678e7d759051ae9bd1

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 10:48

Reported

2024-05-30 10:50

Platform

win11-20240426-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe" C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 448 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 448 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 448 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 448 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 448 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 448 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 448 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 448 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 448 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 448 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 4792 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 4792 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 4792 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 3252 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3252 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3252 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 552 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 552 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 552 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1384 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 1384 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 1384 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 1980 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 2140 wrote to memory of 1980 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 2140 wrote to memory of 1980 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 2140 wrote to memory of 1980 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 2140 wrote to memory of 1980 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 2140 wrote to memory of 1980 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 2140 wrote to memory of 1980 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 2140 wrote to memory of 1980 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1464 wrote to memory of 3224 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1464 wrote to memory of 3224 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1464 wrote to memory of 3224 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1464 wrote to memory of 2872 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1464 wrote to memory of 2872 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1464 wrote to memory of 2872 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1464 wrote to memory of 4184 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 4184 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 4184 N/A C:\ProgramData\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 4752 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1464 wrote to memory of 4752 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1464 wrote to memory of 4752 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1464 wrote to memory of 4848 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1464 wrote to memory of 4848 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe
PID 1464 wrote to memory of 4848 N/A C:\ProgramData\cmd.exe C:\ProgramData\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F83.tmp"

C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"

C:\ProgramData\cmd.exe

C:\ProgramData\cmd.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1855.tmp"

C:\ProgramData\cmd.exe

"C:\ProgramData\cmd.exe"

C:\ProgramData\cmd.exe

C:\ProgramData\cmd.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E4.tmp"

C:\ProgramData\cmd.exe

"C:\ProgramData\cmd.exe"

C:\ProgramData\cmd.exe

"C:\ProgramData\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lubriaceites.com udp
US 212.1.210.79:443 lubriaceites.com tcp
US 8.8.8.8:53 79.210.1.212.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7000 tcp
US 45.88.186.125:7000 beshomandotestbesnd.run.place tcp
US 212.1.210.79:443 lubriaceites.com tcp
US 212.1.210.79:443 lubriaceites.com tcp

Files

memory/448-0-0x000000007461E000-0x000000007461F000-memory.dmp

memory/448-1-0x0000000000D20000-0x0000000000DA8000-memory.dmp

memory/448-2-0x0000000005E00000-0x00000000063A6000-memory.dmp

memory/448-3-0x00000000058F0000-0x0000000005982000-memory.dmp

memory/448-4-0x0000000005860000-0x000000000586A000-memory.dmp

memory/448-5-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/448-6-0x00000000083A0000-0x00000000083BA000-memory.dmp

memory/448-7-0x00000000084C0000-0x00000000084D0000-memory.dmp

memory/448-8-0x0000000008700000-0x000000000875A000-memory.dmp

memory/448-9-0x000000000AE80000-0x000000000AF1C000-memory.dmp

memory/1512-10-0x00000000029E0000-0x0000000002A16000-memory.dmp

memory/1512-11-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/1512-12-0x0000000005530000-0x0000000005B5A000-memory.dmp

memory/1512-13-0x0000000005480000-0x00000000054A2000-memory.dmp

memory/1512-14-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/1512-16-0x0000000005CC0000-0x0000000005D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gb0ijalp.tbs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1512-15-0x0000000005C50000-0x0000000005CB6000-memory.dmp

memory/1512-26-0x0000000005E30000-0x0000000006187000-memory.dmp

memory/1512-25-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/1512-27-0x0000000006210000-0x000000000622E000-memory.dmp

memory/1512-28-0x0000000006230000-0x000000000627C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 8176c83c8f4957d82ba48d41c9040fe1
SHA1 35ad0cbc2346beff9497b5e36635d0b23310584b
SHA256 36fcc2294027cd8438fe15c26569c943c7b3b285beb8ac9d1811d994d4bb218f
SHA512 e5171a49130605547ba576bf50981829ccd438c067b36b145e9432ece74b7a3da06b8b5f7a428e65581c36cb974c0f83b3ceed5d3b0d1f7555c4c69484add128

C:\Users\Admin\AppData\Local\Temp\tmp6F83.tmp

MD5 505f641ceb834335fc54278230b88237
SHA1 da70556b826880706513ce85fdd52cf708269c6e
SHA256 e2443a7e94ad3497df971a33d8d3a86f9ca145a35a6f74f44299ec49a1fe8c3e
SHA512 9e938624f445a1b82778d43594a46c090386735c38548635a93b2283ae60aa7991ed6b5a07d9a6c2eb31cb4e8db70aabc09d1e632e950a2adc349c24bfe1cc31

memory/4792-51-0x0000000000400000-0x0000000000418000-memory.dmp

memory/448-53-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/1512-54-0x00000000067F0000-0x0000000006824000-memory.dmp

memory/1512-64-0x00000000067D0000-0x00000000067EE000-memory.dmp

memory/1512-55-0x000000006F120000-0x000000006F16C000-memory.dmp

memory/1512-65-0x00000000073F0000-0x0000000007494000-memory.dmp

memory/1512-66-0x0000000007B90000-0x000000000820A000-memory.dmp

memory/1512-67-0x0000000007540000-0x000000000755A000-memory.dmp

memory/1512-68-0x00000000075C0000-0x00000000075CA000-memory.dmp

memory/1512-69-0x00000000077D0000-0x0000000007866000-memory.dmp

memory/1512-70-0x0000000007750000-0x0000000007761000-memory.dmp

memory/1512-71-0x0000000007780000-0x000000000778E000-memory.dmp

memory/4208-72-0x000000006F120000-0x000000006F16C000-memory.dmp

memory/1512-81-0x0000000007790000-0x00000000077A5000-memory.dmp

memory/1512-82-0x0000000007890000-0x00000000078AA000-memory.dmp

memory/1512-83-0x0000000007880000-0x0000000007888000-memory.dmp

memory/1512-86-0x0000000074610000-0x0000000074DC1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 849845ec2e46f54e714eb21fa6a6b70a
SHA1 89db2ad9c3e0555c7777f240de03280296b4ab8e
SHA256 bfabef46490fa7834586a22bf1d2612c52c0ebeb33abe37596ff490d1b97f4b0
SHA512 64bb0b7675ea16a82b48d0f781134d53d040094b2f63b305c77bccd57b449bb0c2c370201bcd85f3b1ccba06f33acf78c50d051a3940b1a3f3937d31f0f55af2

memory/1900-98-0x0000000005B70000-0x0000000005EC7000-memory.dmp

memory/1900-100-0x0000000005FC0000-0x000000000600C000-memory.dmp

memory/1900-101-0x0000000070D40000-0x0000000070D8C000-memory.dmp

memory/1900-110-0x0000000007170000-0x0000000007214000-memory.dmp

memory/1900-111-0x0000000007500000-0x0000000007511000-memory.dmp

memory/1900-112-0x0000000007540000-0x0000000007555000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 35cc1083b96d6fdf3b354595d023b416
SHA1 32a189877e258c0abacdb5ed5a4852494499fed6
SHA256 3d70cab2c75d1087dd2ec9b00c45dac33241870faebbdc087aa5f05e2f155598
SHA512 668e9f75bf611e0a2a1084485ff7b9f74e3deac00b7f5a969634d16c215e4ba273150077f879049de39b6ec4c0e9f7e5a85638298b4645df2e33dc600ea17f54

memory/2096-123-0x0000000070D40000-0x0000000070D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 586be1631dfb052b572c3f8c5532d17b
SHA1 59b7969e8fe6d72a4bf5a9b2aebdda2524445565
SHA256 9209f52e842b7fbf2d2a3339a5c5157b5dbef8ebad211458682213f22752ba17
SHA512 ab4790f084cf26709036e6ee5716d86da904a11344c9c549163c9f3a98d2c5e97113febf46038005ae3f4a6839a98af3e429652bf01188df7c41a4768a84c2ea

memory/3164-142-0x0000000070D40000-0x0000000070D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b4bb961a0ab70bd4e45ea6e9a091383d
SHA1 b48c8b1b87bdfc328b4c50088ba91bfe7bb31729
SHA256 deeb959c44207caa7bd042d4fec295c510a47fa3a4bbb766a84c9e518bc80d7f
SHA512 ab0aeeee0b99cadecb9d27ba1c00129ee84db29818c02ee1748e971c6fec63a7ea87c05265afbb6be2708aeb279a085bd3a564c3ee84f27d2485333eb3a436f8

memory/1912-161-0x0000000070D40000-0x0000000070D8C000-memory.dmp

C:\ProgramData\cmd.exe

MD5 148b2c38cf0726535d760a703f803c80
SHA1 107503ca149f547d4745fe9b9a3fbae03d60126c
SHA256 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
SHA512 6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

memory/3252-178-0x0000000005710000-0x0000000005A67000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0dfed1a3a2692cc64f6714ddb146b3c7
SHA1 30338478a9eeb58136d592bea7b40a4a00cf86e1
SHA256 f33e040f5c83c0247ea4f19cc9cdbcb82e9c8286a57da4c000c7635cc74fdb61
SHA512 72e49732690f31b2a8719286969b1e383a08c5470bd930eac98aa781b0d95d91a174f3a51224929ec1986b54a7e2fdc22d5aa2fd59fe4c9a38ee93864bc5ffa4

memory/3252-188-0x0000000005D20000-0x0000000005D6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 d57d916875a6fb8584172de1562bce6d
SHA1 8e2e584fa99c2db2990785f635d5cc734cf24835
SHA256 15035952ee61f538b5ef91c1ea1f3d1a3156ab10487fb79645bd25050a2140b1
SHA512 fcc3f0a554250cee3fb0d1e425ce88d366d37c9da04da061c8dff58524e3a5f247df24781e3d59819732ed862158a0f5d80c866994182eb43670230f4f3cb3c8

memory/3252-211-0x000000006EBC0000-0x000000006EC0C000-memory.dmp

memory/3252-220-0x0000000006F30000-0x0000000006FD4000-memory.dmp

memory/3252-221-0x0000000007210000-0x0000000007221000-memory.dmp

memory/3252-222-0x0000000007250000-0x0000000007265000-memory.dmp

memory/552-223-0x000000006EBC0000-0x000000006EC0C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39f866b4629c3c663c8fde18b8fc0c67
SHA1 43ae5ac9ff79697eb16653e317078ceef83f041d
SHA256 4fb494dab2f5566e5343110239107204560e7e42c6d91cdb8d385ca6d723f780
SHA512 db553f197329c3a93912f8283a06678b69d161c641797478b20e116b8ae93e548cccde1bdb1f998c92e0789b73cbed35f6e3506495ad9ed28c513466be093854

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cmd.exe.log

MD5 7e1ed0055c3eaa0bbc4a29ec1ef15a6a
SHA1 765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d
SHA256 4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce
SHA512 de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8

memory/3224-239-0x00000000062C0000-0x0000000006617000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1be91d3b16f687cb8650641c0e954365
SHA1 b15ac5a31e6d30b9b39d2b8d242555bfb4a42e61
SHA256 7a1402c8dfd35609c44655a2a0ab550d9e2c0581d666ac43dcf5711b93263715
SHA512 0ab6681dc15d8d5e40861b8e8a6498166a13148d881999c6eba2b8698ba9ac678619e593c2be4f0324d512a98d60329a24ecb2c9ed37024e85fbe151c93b43a3

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 6d06702e536b9150559a6f5d70b87f51
SHA1 837588b879ccd6484939b5988965206e98efe89b
SHA256 8979278847e0049fb08bcc8cb839e9a77549e656d35eeb0c182d0af929cfc40f
SHA512 e29d38649bff45e84bc369d01aefc97569e610bf4d301aede6ba78819016c9bbbb2e6feddb278915ccf33c10c28214f8834bfcd11311325367a4454369ca1d8d

memory/3224-258-0x0000000006DB0000-0x0000000006DFC000-memory.dmp

memory/3224-272-0x000000006EC60000-0x000000006ECAC000-memory.dmp

memory/2872-281-0x000000006EC60000-0x000000006ECAC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0b3e181e6fe0a4c3f6a2c4faef295d62
SHA1 79d05d6dbd8d3eb96a951c7e7d050b9ccf55b5ff
SHA256 20df32390747f60380eb83c99f6303744e92a93641576327d08bb25339c08d93
SHA512 8ff98c549a671ed48553344bbe09fd2885d7fa2bca49baa4808689cdbea2235636fdaafda784d1d6e2ace520d116ae524d22efa5f74c71a1ce4ef6503e9be80b