Analysis Overview
SHA256
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
Threat Level: Known bad
The file 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Drops startup file
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 10:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 10:48
Reported
2024-05-30 10:50
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\ProgramData\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\ProgramData\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\cmd.exe | N/A |
| N/A | N/A | C:\ProgramData\cmd.exe | N/A |
| N/A | N/A | C:\ProgramData\cmd.exe | N/A |
| N/A | N/A | C:\ProgramData\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe" | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2012 set thread context of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe |
| PID 1404 set thread context of 228 | N/A | C:\ProgramData\cmd.exe | C:\ProgramData\cmd.exe |
| PID 388 set thread context of 2324 | N/A | C:\ProgramData\cmd.exe | C:\ProgramData\cmd.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1DD4.tmp"
C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"
C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC94.tmp"
C:\ProgramData\cmd.exe
"C:\ProgramData\cmd.exe"
C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA30C.tmp"
C:\ProgramData\cmd.exe
"C:\ProgramData\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 137.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lubriaceites.com | udp |
| US | 212.1.210.79:443 | lubriaceites.com | tcp |
| US | 8.8.8.8:53 | 79.210.1.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beshomandotestbesnd.run.place | udp |
| US | 45.88.186.125:7000 | beshomandotestbesnd.run.place | tcp |
| US | 8.8.8.8:53 | 125.186.88.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 212.1.210.79:443 | lubriaceites.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 212.1.210.79:443 | lubriaceites.com | tcp |
Files
memory/2012-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp
memory/2012-1-0x0000000000310000-0x0000000000398000-memory.dmp
memory/2012-2-0x0000000005250000-0x00000000057F4000-memory.dmp
memory/2012-3-0x0000000004CA0000-0x0000000004D32000-memory.dmp
memory/2012-4-0x0000000004C50000-0x0000000004C5A000-memory.dmp
memory/2012-5-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/2012-6-0x0000000004E50000-0x0000000004E6A000-memory.dmp
memory/2012-7-0x0000000004E70000-0x0000000004E80000-memory.dmp
memory/2012-8-0x0000000006120000-0x000000000617A000-memory.dmp
memory/2012-9-0x0000000008C10000-0x0000000008CAC000-memory.dmp
memory/4292-10-0x0000000002620000-0x0000000002656000-memory.dmp
memory/4292-11-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/4292-12-0x0000000005060000-0x0000000005688000-memory.dmp
memory/4292-13-0x00000000056E0000-0x0000000005702000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5ytugco.fwl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4292-20-0x00000000058F0000-0x0000000005956000-memory.dmp
memory/4292-19-0x0000000005880000-0x00000000058E6000-memory.dmp
memory/4292-21-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/4292-26-0x0000000005A60000-0x0000000005DB4000-memory.dmp
memory/4292-27-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/4292-28-0x0000000005F50000-0x0000000005F6E000-memory.dmp
memory/4292-30-0x0000000005FE0000-0x000000000602C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | a58e024a498d2d65891d53c48db4359c |
| SHA1 | 22baf45820cf21b769debfa98d4afcf2b7306161 |
| SHA256 | 38cce372b260b28b834ccf81a6628bfe43f449c3a391e1ad7913efe33162230a |
| SHA512 | 3d99f7fa228d27499eab0343622eec0d54e45d40a2828cd10349155d35a26a3d1220c1bfcbc8f6507c44db9a034dcfc0e0bb6b06bbbd2e786a399a89cfce3500 |
C:\Users\Admin\AppData\Local\Temp\tmp1DD4.tmp
| MD5 | 80e59a8b52173ac74b711bc8a50c85be |
| SHA1 | 931d8a1b799b6537bec2a980952a1b553732d5ae |
| SHA256 | b669b5a788b72fcf3993906424a416f4e3c4e20ecb7cb7fad9b7796f85d0f320 |
| SHA512 | 8394be8a38f83b87092031714cc71837033b879462bdfab41605a1a9a51e641215d521473612757f38b6e21b930cc5fe43545dc6de2a2c8bc96e0b9e00d5229e |
memory/2120-44-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2012-51-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/4292-57-0x000000006F6B0000-0x000000006F6FC000-memory.dmp
memory/4292-68-0x0000000007130000-0x00000000071D3000-memory.dmp
memory/4292-67-0x0000000006F10000-0x0000000006F2E000-memory.dmp
memory/4292-56-0x0000000006510000-0x0000000006542000-memory.dmp
memory/4292-69-0x00000000078B0000-0x0000000007F2A000-memory.dmp
memory/4292-70-0x0000000007270000-0x000000000728A000-memory.dmp
memory/4292-71-0x00000000072E0000-0x00000000072EA000-memory.dmp
memory/1564-72-0x000000006F6B0000-0x000000006F6FC000-memory.dmp
memory/4292-82-0x00000000074F0000-0x0000000007586000-memory.dmp
memory/1564-83-0x0000000007390000-0x00000000073A1000-memory.dmp
memory/4292-84-0x00000000074A0000-0x00000000074AE000-memory.dmp
memory/1564-85-0x00000000073D0000-0x00000000073E4000-memory.dmp
memory/1564-86-0x00000000074D0000-0x00000000074EA000-memory.dmp
memory/4292-87-0x0000000007590000-0x0000000007598000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3d93e9b3b1828d167b45a70a3d585191 |
| SHA1 | 293da9aab3091897ca5580f7aae9d77cdc11a2b2 |
| SHA256 | 80fe0d5a7ae8fe54487d23b2521ef26a04abd7dff54cfe1930bcccee0f2d66d0 |
| SHA512 | 0f96c187c97a435856ad9514e429b67628ead7c44b78886ab0229ff36db0069d12511ca07017e508e16cd588888b5b634c5a7c0b910cd452f232acd3f364cb98 |
memory/4292-93-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/2948-103-0x0000000006300000-0x0000000006654000-memory.dmp
memory/2948-105-0x0000000006AE0000-0x0000000006B2C000-memory.dmp
memory/2948-106-0x00000000702A0000-0x00000000702EC000-memory.dmp
memory/2948-116-0x0000000007BF0000-0x0000000007C93000-memory.dmp
memory/2948-117-0x0000000007EA0000-0x0000000007EB1000-memory.dmp
memory/2948-118-0x0000000007EF0000-0x0000000007F04000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4311ae8171a1b4b6f3112bd3e242841d |
| SHA1 | 79bc53d0cc2de993934c92bf8aa8cae2805240d1 |
| SHA256 | fbd07a3f61985b3e073181648352c65673ccc25b88605fdf5712db50a162763b |
| SHA512 | f2f431a04317b3dfe48fb41a97d2e63120e3c8dfe5cf4fccb289d593d4e4f2c6e0d7d110b166ea40d04a137027199da95041d99102bf4966035f6154cc43512c |
memory/1832-130-0x00000000702A0000-0x00000000702EC000-memory.dmp
memory/3296-150-0x0000000006190000-0x00000000064E4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f37a5347c5e0303f901aa11f16889f2c |
| SHA1 | fc18b5e5c7ba9ec1bb6a6767b33c27483b30076d |
| SHA256 | 200639109561a487d0f32220ca00f20bca9006e23515c83e2eea4fc9670993fa |
| SHA512 | 9089ad71d140240493c94a8fe341c828bfcb9e975598c26118a287688283da4010a5d2aceec755ff3b29f8054df07ba0abfdae8b86663388b77bb407b441a1c8 |
memory/3296-152-0x00000000702A0000-0x00000000702EC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c0f92d8499fcb499af77ae87dd1db298 |
| SHA1 | 213943a776a71477968630cdf186d96d5e483ed0 |
| SHA256 | 1ab10190fb93b1e5686e6fe58f282a9bc57661efb02804a429e40a71387b54de |
| SHA512 | 879d04940152cbb1b14a737a8511a2f8d603291b770533242335cdcfb089c698d0e29ac10d86f6f875ca11a0932fc92774010c45227a2b797cb8f87069506982 |
memory/3960-173-0x00000000702A0000-0x00000000702EC000-memory.dmp
C:\ProgramData\cmd.exe
| MD5 | 148b2c38cf0726535d760a703f803c80 |
| SHA1 | 107503ca149f547d4745fe9b9a3fbae03d60126c |
| SHA256 | 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d |
| SHA512 | 6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd |
memory/4148-191-0x00000000057D0000-0x0000000005B24000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b2ce37edad0a562c40c60e2d49b96254 |
| SHA1 | eb28bcd9d384eb37b2ce9dde9fa09246477c992d |
| SHA256 | 34bd2daa5eb370cafe05f7b0273a95d2324c8f3506a8f9c8e2c45ab667959b9b |
| SHA512 | a04051636a503fe31f0b3dfb1f88902dc47f9a61352251ab7533684a3a4119e791673cf3827bdf1342fe494b35c3d24540ece6925224092985c91201490410f1 |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 47a1349d06eae691dabf98cc933f2e0f |
| SHA1 | ce62a5aa67e8c167aa0b6b64ecbdac7d29f4730b |
| SHA256 | 4b91eb0a8142ae93d284d57613f21a8112fcbea026dbf4e810cf130d0ed51bcd |
| SHA512 | 5d9ad8bc9340ed851cf2a76158cb91b122e1bd52322fc131bb49a1c959e628197aad3cc56f215c9488ea161f9137dab0ad8ed6cffc87726447b662e2830eb92e |
memory/4148-211-0x0000000005E60000-0x0000000005EAC000-memory.dmp
memory/4148-226-0x000000006EF00000-0x000000006EF4C000-memory.dmp
memory/4148-236-0x0000000007080000-0x0000000007123000-memory.dmp
memory/4148-237-0x0000000007360000-0x0000000007371000-memory.dmp
memory/4148-238-0x00000000073A0000-0x00000000073B4000-memory.dmp
memory/1996-239-0x000000006EF00000-0x000000006EF4C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cmd.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5a63b093c01b02ea37355b389a0bd7df |
| SHA1 | c25eba0c42312d79dcccba8c67e9ff8ccaea7dc0 |
| SHA256 | 99d6f796bb03d36a78a2e37d059f209baa0541b26ae23efe596bfdae5e428f14 |
| SHA512 | 21e0cd7568d8264d78b7d852a5d18eeab8680e6c7a865a8aa7459f7dca497ccd942558150077357938de43348bfd4498a0fc5c8bf05a5e05b2e16ae91cd9c438 |
memory/4816-265-0x0000000006210000-0x0000000006564000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 116d4b6595f977aa65acc5d1b2c09cba |
| SHA1 | c52ff1e93b089098fc153bc3f5ad4ad6ac145fc6 |
| SHA256 | fd876fd6736d858e9eacb67db89079cc3392b69ef8f443be6fddcdf8ad78a1d2 |
| SHA512 | 3d76df969e17092aecfa364b8ff29ec3d33823d43d2b4152917a7197d668f9645ddc91dbfce30ad255efd6533c0dfb9cc9910f6d228c2fb9115914d662e329fd |
memory/4816-267-0x0000000006CE0000-0x0000000006D2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | c61ec9a30fca46b0b8f3edb41b0e0bde |
| SHA1 | 508f13282b4d41009f60dddc939246bb41c5beb6 |
| SHA256 | 4972ec42fe96e910399b8323b6af5f8a80a966ea567e8d6ee08558c6c750b15b |
| SHA512 | b2dc4c652e4e5388cd00e6ad041fc639ab2c82f25bed82b12bf3d4f685985f3a0e1b73c83d99e872d4149fbc59a161b285a4c0f2ba3b3c6a6cb3fba80f6936f6 |
memory/4816-290-0x000000006EFA0000-0x000000006EFEC000-memory.dmp
memory/4524-300-0x000000006EFA0000-0x000000006EFEC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9ac4f0123bc33d81d3f59f95955c457e |
| SHA1 | 09f0880a463c8ce183c8b32b28d283a9e2bcc246 |
| SHA256 | 45811a97c9afbac5faadb5c5e0f6340fc8f7781aa3f013df0efff9eb9e24d23f |
| SHA512 | c9f25f716bd7848c1497f26b2e0a362f1ed641ebc45bbbc24a88d0b9c2cfec2a8df40a44471b4a2c1b1771d8b62ceed67b4276e5d7dbde678e7d759051ae9bd1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 10:48
Reported
2024-05-30 10:50
Platform
win11-20240426-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\cmd.exe | N/A |
| N/A | N/A | C:\ProgramData\cmd.exe | N/A |
| N/A | N/A | C:\ProgramData\cmd.exe | N/A |
| N/A | N/A | C:\ProgramData\cmd.exe | N/A |
| N/A | N/A | C:\ProgramData\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe" | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 448 set thread context of 4792 | N/A | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe |
| PID 2140 set thread context of 1980 | N/A | C:\ProgramData\cmd.exe | C:\ProgramData\cmd.exe |
| PID 1464 set thread context of 4848 | N/A | C:\ProgramData\cmd.exe | C:\ProgramData\cmd.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F83.tmp"
C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"
C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1855.tmp"
C:\ProgramData\cmd.exe
"C:\ProgramData\cmd.exe"
C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E4.tmp"
C:\ProgramData\cmd.exe
"C:\ProgramData\cmd.exe"
C:\ProgramData\cmd.exe
"C:\ProgramData\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lubriaceites.com | udp |
| US | 212.1.210.79:443 | lubriaceites.com | tcp |
| US | 8.8.8.8:53 | 79.210.1.212.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 45.88.186.125:7000 | beshomandotestbesnd.run.place | tcp |
| US | 212.1.210.79:443 | lubriaceites.com | tcp |
| US | 212.1.210.79:443 | lubriaceites.com | tcp |
Files
memory/448-0-0x000000007461E000-0x000000007461F000-memory.dmp
memory/448-1-0x0000000000D20000-0x0000000000DA8000-memory.dmp
memory/448-2-0x0000000005E00000-0x00000000063A6000-memory.dmp
memory/448-3-0x00000000058F0000-0x0000000005982000-memory.dmp
memory/448-4-0x0000000005860000-0x000000000586A000-memory.dmp
memory/448-5-0x0000000074610000-0x0000000074DC1000-memory.dmp
memory/448-6-0x00000000083A0000-0x00000000083BA000-memory.dmp
memory/448-7-0x00000000084C0000-0x00000000084D0000-memory.dmp
memory/448-8-0x0000000008700000-0x000000000875A000-memory.dmp
memory/448-9-0x000000000AE80000-0x000000000AF1C000-memory.dmp
memory/1512-10-0x00000000029E0000-0x0000000002A16000-memory.dmp
memory/1512-11-0x0000000074610000-0x0000000074DC1000-memory.dmp
memory/1512-12-0x0000000005530000-0x0000000005B5A000-memory.dmp
memory/1512-13-0x0000000005480000-0x00000000054A2000-memory.dmp
memory/1512-14-0x0000000074610000-0x0000000074DC1000-memory.dmp
memory/1512-16-0x0000000005CC0000-0x0000000005D26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gb0ijalp.tbs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1512-15-0x0000000005C50000-0x0000000005CB6000-memory.dmp
memory/1512-26-0x0000000005E30000-0x0000000006187000-memory.dmp
memory/1512-25-0x0000000074610000-0x0000000074DC1000-memory.dmp
memory/1512-27-0x0000000006210000-0x000000000622E000-memory.dmp
memory/1512-28-0x0000000006230000-0x000000000627C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 8176c83c8f4957d82ba48d41c9040fe1 |
| SHA1 | 35ad0cbc2346beff9497b5e36635d0b23310584b |
| SHA256 | 36fcc2294027cd8438fe15c26569c943c7b3b285beb8ac9d1811d994d4bb218f |
| SHA512 | e5171a49130605547ba576bf50981829ccd438c067b36b145e9432ece74b7a3da06b8b5f7a428e65581c36cb974c0f83b3ceed5d3b0d1f7555c4c69484add128 |
C:\Users\Admin\AppData\Local\Temp\tmp6F83.tmp
| MD5 | 505f641ceb834335fc54278230b88237 |
| SHA1 | da70556b826880706513ce85fdd52cf708269c6e |
| SHA256 | e2443a7e94ad3497df971a33d8d3a86f9ca145a35a6f74f44299ec49a1fe8c3e |
| SHA512 | 9e938624f445a1b82778d43594a46c090386735c38548635a93b2283ae60aa7991ed6b5a07d9a6c2eb31cb4e8db70aabc09d1e632e950a2adc349c24bfe1cc31 |
memory/4792-51-0x0000000000400000-0x0000000000418000-memory.dmp
memory/448-53-0x0000000074610000-0x0000000074DC1000-memory.dmp
memory/1512-54-0x00000000067F0000-0x0000000006824000-memory.dmp
memory/1512-64-0x00000000067D0000-0x00000000067EE000-memory.dmp
memory/1512-55-0x000000006F120000-0x000000006F16C000-memory.dmp
memory/1512-65-0x00000000073F0000-0x0000000007494000-memory.dmp
memory/1512-66-0x0000000007B90000-0x000000000820A000-memory.dmp
memory/1512-67-0x0000000007540000-0x000000000755A000-memory.dmp
memory/1512-68-0x00000000075C0000-0x00000000075CA000-memory.dmp
memory/1512-69-0x00000000077D0000-0x0000000007866000-memory.dmp
memory/1512-70-0x0000000007750000-0x0000000007761000-memory.dmp
memory/1512-71-0x0000000007780000-0x000000000778E000-memory.dmp
memory/4208-72-0x000000006F120000-0x000000006F16C000-memory.dmp
memory/1512-81-0x0000000007790000-0x00000000077A5000-memory.dmp
memory/1512-82-0x0000000007890000-0x00000000078AA000-memory.dmp
memory/1512-83-0x0000000007880000-0x0000000007888000-memory.dmp
memory/1512-86-0x0000000074610000-0x0000000074DC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | d0c46cad6c0778401e21910bd6b56b70 |
| SHA1 | 7be418951ea96326aca445b8dfe449b2bfa0dca6 |
| SHA256 | 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02 |
| SHA512 | 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 849845ec2e46f54e714eb21fa6a6b70a |
| SHA1 | 89db2ad9c3e0555c7777f240de03280296b4ab8e |
| SHA256 | bfabef46490fa7834586a22bf1d2612c52c0ebeb33abe37596ff490d1b97f4b0 |
| SHA512 | 64bb0b7675ea16a82b48d0f781134d53d040094b2f63b305c77bccd57b449bb0c2c370201bcd85f3b1ccba06f33acf78c50d051a3940b1a3f3937d31f0f55af2 |
memory/1900-98-0x0000000005B70000-0x0000000005EC7000-memory.dmp
memory/1900-100-0x0000000005FC0000-0x000000000600C000-memory.dmp
memory/1900-101-0x0000000070D40000-0x0000000070D8C000-memory.dmp
memory/1900-110-0x0000000007170000-0x0000000007214000-memory.dmp
memory/1900-111-0x0000000007500000-0x0000000007511000-memory.dmp
memory/1900-112-0x0000000007540000-0x0000000007555000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 35cc1083b96d6fdf3b354595d023b416 |
| SHA1 | 32a189877e258c0abacdb5ed5a4852494499fed6 |
| SHA256 | 3d70cab2c75d1087dd2ec9b00c45dac33241870faebbdc087aa5f05e2f155598 |
| SHA512 | 668e9f75bf611e0a2a1084485ff7b9f74e3deac00b7f5a969634d16c215e4ba273150077f879049de39b6ec4c0e9f7e5a85638298b4645df2e33dc600ea17f54 |
memory/2096-123-0x0000000070D40000-0x0000000070D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 586be1631dfb052b572c3f8c5532d17b |
| SHA1 | 59b7969e8fe6d72a4bf5a9b2aebdda2524445565 |
| SHA256 | 9209f52e842b7fbf2d2a3339a5c5157b5dbef8ebad211458682213f22752ba17 |
| SHA512 | ab4790f084cf26709036e6ee5716d86da904a11344c9c549163c9f3a98d2c5e97113febf46038005ae3f4a6839a98af3e429652bf01188df7c41a4768a84c2ea |
memory/3164-142-0x0000000070D40000-0x0000000070D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b4bb961a0ab70bd4e45ea6e9a091383d |
| SHA1 | b48c8b1b87bdfc328b4c50088ba91bfe7bb31729 |
| SHA256 | deeb959c44207caa7bd042d4fec295c510a47fa3a4bbb766a84c9e518bc80d7f |
| SHA512 | ab0aeeee0b99cadecb9d27ba1c00129ee84db29818c02ee1748e971c6fec63a7ea87c05265afbb6be2708aeb279a085bd3a564c3ee84f27d2485333eb3a436f8 |
memory/1912-161-0x0000000070D40000-0x0000000070D8C000-memory.dmp
C:\ProgramData\cmd.exe
| MD5 | 148b2c38cf0726535d760a703f803c80 |
| SHA1 | 107503ca149f547d4745fe9b9a3fbae03d60126c |
| SHA256 | 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d |
| SHA512 | 6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd |
memory/3252-178-0x0000000005710000-0x0000000005A67000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0dfed1a3a2692cc64f6714ddb146b3c7 |
| SHA1 | 30338478a9eeb58136d592bea7b40a4a00cf86e1 |
| SHA256 | f33e040f5c83c0247ea4f19cc9cdbcb82e9c8286a57da4c000c7635cc74fdb61 |
| SHA512 | 72e49732690f31b2a8719286969b1e383a08c5470bd930eac98aa781b0d95d91a174f3a51224929ec1986b54a7e2fdc22d5aa2fd59fe4c9a38ee93864bc5ffa4 |
memory/3252-188-0x0000000005D20000-0x0000000005D6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | d57d916875a6fb8584172de1562bce6d |
| SHA1 | 8e2e584fa99c2db2990785f635d5cc734cf24835 |
| SHA256 | 15035952ee61f538b5ef91c1ea1f3d1a3156ab10487fb79645bd25050a2140b1 |
| SHA512 | fcc3f0a554250cee3fb0d1e425ce88d366d37c9da04da061c8dff58524e3a5f247df24781e3d59819732ed862158a0f5d80c866994182eb43670230f4f3cb3c8 |
memory/3252-211-0x000000006EBC0000-0x000000006EC0C000-memory.dmp
memory/3252-220-0x0000000006F30000-0x0000000006FD4000-memory.dmp
memory/3252-221-0x0000000007210000-0x0000000007221000-memory.dmp
memory/3252-222-0x0000000007250000-0x0000000007265000-memory.dmp
memory/552-223-0x000000006EBC0000-0x000000006EC0C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 39f866b4629c3c663c8fde18b8fc0c67 |
| SHA1 | 43ae5ac9ff79697eb16653e317078ceef83f041d |
| SHA256 | 4fb494dab2f5566e5343110239107204560e7e42c6d91cdb8d385ca6d723f780 |
| SHA512 | db553f197329c3a93912f8283a06678b69d161c641797478b20e116b8ae93e548cccde1bdb1f998c92e0789b73cbed35f6e3506495ad9ed28c513466be093854 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cmd.exe.log
| MD5 | 7e1ed0055c3eaa0bbc4a29ec1ef15a6a |
| SHA1 | 765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d |
| SHA256 | 4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce |
| SHA512 | de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8 |
memory/3224-239-0x00000000062C0000-0x0000000006617000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1be91d3b16f687cb8650641c0e954365 |
| SHA1 | b15ac5a31e6d30b9b39d2b8d242555bfb4a42e61 |
| SHA256 | 7a1402c8dfd35609c44655a2a0ab550d9e2c0581d666ac43dcf5711b93263715 |
| SHA512 | 0ab6681dc15d8d5e40861b8e8a6498166a13148d881999c6eba2b8698ba9ac678619e593c2be4f0324d512a98d60329a24ecb2c9ed37024e85fbe151c93b43a3 |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 6d06702e536b9150559a6f5d70b87f51 |
| SHA1 | 837588b879ccd6484939b5988965206e98efe89b |
| SHA256 | 8979278847e0049fb08bcc8cb839e9a77549e656d35eeb0c182d0af929cfc40f |
| SHA512 | e29d38649bff45e84bc369d01aefc97569e610bf4d301aede6ba78819016c9bbbb2e6feddb278915ccf33c10c28214f8834bfcd11311325367a4454369ca1d8d |
memory/3224-258-0x0000000006DB0000-0x0000000006DFC000-memory.dmp
memory/3224-272-0x000000006EC60000-0x000000006ECAC000-memory.dmp
memory/2872-281-0x000000006EC60000-0x000000006ECAC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0b3e181e6fe0a4c3f6a2c4faef295d62 |
| SHA1 | 79d05d6dbd8d3eb96a951c7e7d050b9ccf55b5ff |
| SHA256 | 20df32390747f60380eb83c99f6303744e92a93641576327d08bb25339c08d93 |
| SHA512 | 8ff98c549a671ed48553344bbe09fd2885d7fa2bca49baa4808689cdbea2235636fdaafda784d1d6e2ace520d116ae524d22efa5f74c71a1ce4ef6503e9be80b |