Analysis Overview
SHA256
bb8ddb19c329e2c75a5cf67a9598bd4fa1b30e2b1e88bb192b230f3a67b3afc5
Threat Level: Known bad
The file Expensive crack.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Drops startup file
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 12:21
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 12:21
Reported
2024-05-30 12:33
Platform
win10v2004-20240426-en
Max time kernel
598s
Max time network
455s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tzahzf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JMP-Meatspin [small].exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tzahzf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JMP-Meatspin [Full] (default sound).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JMP-Meatspin [small].exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Runtime Broker.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe" | C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JMP-Meatspin [small].exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{77480553-252E-4174-89A6-518250D2B766} | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Runtime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Runtime Broker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Runtime Broker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe
"C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive crack.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\tzahzf.exe
"C:\Users\Admin\AppData\Local\Temp\tzahzf.exe"
C:\Users\Admin\AppData\Local\Temp\JMP-Meatspin [Full] (default sound).exe
"C:\Users\Admin\AppData\Local\Temp\JMP-Meatspin [Full] (default sound).exe"
C:\Users\Admin\AppData\Local\Temp\JMP-Meatspin [small].exe
"C:\Users\Admin\AppData\Local\Temp\JMP-Meatspin [small].exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\scream\sound.vbs"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c 0x490
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\scream\gif.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD69F.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brands-omissions.gl.at.ply.gg | udp |
| US | 147.185.221.20:3488 | brands-omissions.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 147.185.221.20:3488 | brands-omissions.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/4984-0-0x00007FF9EBA33000-0x00007FF9EBA35000-memory.dmp
memory/4984-1-0x00000000007C0000-0x00000000007D8000-memory.dmp
memory/4984-2-0x00007FF9EBA30000-0x00007FF9EC4F1000-memory.dmp
memory/4432-3-0x00007FF9EBA30000-0x00007FF9EC4F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xlucqe0q.h0r.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4432-10-0x000001FE38470000-0x000001FE38492000-memory.dmp
memory/4432-16-0x00007FF9EBA30000-0x00007FF9EC4F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cae60f0ddddac635da71bba775a2c5b4 |
| SHA1 | 386f1a036af61345a7d303d45f5230e2df817477 |
| SHA256 | b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16 |
| SHA512 | 28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ec4e82a4d157d77d4c40f02f45d45607 |
| SHA1 | a4f4c770b84b6640727363e423a86c67e32ad035 |
| SHA256 | f887d55930d7fa507793a5157560d36b38ec56371154b1f7e4e965ea0d32bdb3 |
| SHA512 | 7eaef788ffbdc8ab046311b2e31e75373880495d1df0f64d0721629a6734d14273d740c90e2caa89f84312390f86e3acf7eb138029a64f1de233c811583d1440 |
memory/4984-55-0x00007FF9EBA33000-0x00007FF9EBA35000-memory.dmp
memory/4984-56-0x00007FF9EBA30000-0x00007FF9EC4F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
| MD5 | b6be101304256001f7f455da58f1219b |
| SHA1 | 31b64e6ccd125396c24ab3703ba6db9c7897e97c |
| SHA256 | bb8ddb19c329e2c75a5cf67a9598bd4fa1b30e2b1e88bb192b230f3a67b3afc5 |
| SHA512 | f5a33ba8cdbff2510d10e1fd89a009ff893ed4e59a2a2199edf41ee26b547293578536f14ff967118e1e06eb70ff7680a3962b2b78ab5683d2caead87c43d0f0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/4984-63-0x000000001B180000-0x000000001B230000-memory.dmp
memory/4984-64-0x000000001D380000-0x000000001D8A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tzahzf.exe
| MD5 | b4c8bdb7f4b5b699ffbdc80a64d7b9a0 |
| SHA1 | 34b4c12812cf555cde3fac10143fb9b599e491cf |
| SHA256 | 6b4b10447ea76d73edb171c5b08266498188244a658d13589b2a54bc5408866d |
| SHA512 | b7722a4575a88d99745c445d1e14e434c7acd46c027ef121b5f7262ec2f553c1caaa82bc77ee4951ee53f6bd07793679a7690f286a2963989baf1654afafeaaf |
memory/3976-76-0x0000000000DC0000-0x0000000000EB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JMP-Meatspin [Full] (default sound).exe
| MD5 | b625b7c13f9a5189b177dbf54834fead |
| SHA1 | 134e6b41316d0f724a82c47f86fd2e3dc892bbe2 |
| SHA256 | b46167adadab181818f8a8cbe880eee65f783665da33b28310680af128a2582e |
| SHA512 | 2fc7243eb446b5eb861af07d796378c1744dfa8b1725b90310370224138c35ebfd4b3587689188033ca606c0e7e14fd0953018519d16c8fc17faf86ab162010a |
C:\Users\Admin\AppData\Local\Temp\JMP-Meatspin [small].exe
| MD5 | 03fe7b85541daa5f13af4b968f8627fe |
| SHA1 | 96972255629bb441d27656394a97bd35d326be57 |
| SHA256 | e6d4758d50848845be3b35c401574f1a4b52456a9b69f832d6c956292ae7e8d6 |
| SHA512 | 85c7cb7a4e893ccc9a7ee3be62bb6ed9f18de3fd74f35982acc58799de7a980da9b0d20f1ad11ef5b76ce2a58a19ad6e7085decbb93887a008ae9c67a91df72c |
memory/2288-96-0x0000017A59C20000-0x0000017A59C5E000-memory.dmp
C:\scream\sound.vbs
| MD5 | f96daee32c46bdc2cf56072569fd556b |
| SHA1 | 9d45104e279c7866b65d6cb1775f6612d23c0863 |
| SHA256 | 6cbf377b3b2369be137810746491e2f1044f7a53d6a3090646592b6cb77eacca |
| SHA512 | 4aae0071250ec569ba1274fd012c407707d39b4b8e3fd0a23406eccdb0a866aa833634f7529101f81b250a0961142b54733e0b8370f5741fe48068f384f79dae |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\scream\sound.mp3
| MD5 | 2e4a9b92bc0fb5047ed88d972df63574 |
| SHA1 | a1ab8cb9fc24a71652b33366732e6ed60ce29e79 |
| SHA256 | b8bbac912a37dbd0fd11cf93d3ad0bcd157323f2048f8ef348ea8063bd249af5 |
| SHA512 | 1fb7f9876df507ffc32c07abf033788d5909d1a81687eb4e58a1d8238698ba185c25410f703101832f3f562de567b3eb353726404d29acc6b63387966c7a404b |
memory/2616-121-0x0000000005A80000-0x0000000005A90000-memory.dmp
memory/2616-123-0x0000000005A80000-0x0000000005A90000-memory.dmp
memory/2616-122-0x0000000005A80000-0x0000000005A90000-memory.dmp
memory/2616-120-0x0000000005A80000-0x0000000005A90000-memory.dmp
C:\scream\gif.hta
| MD5 | 74e44289c376074367616125c02c3dde |
| SHA1 | 2564f2335abd6e8beff609734f222e8d1071524f |
| SHA256 | 306e5356eddaf0f9c3a81435bb3649adfad37f0dc78bc6d7d495c19977ee874f |
| SHA512 | ff1aa8c4c7b8f3aff603bfbe99382bf7f8b1e2536fa47b480ca1bb4a68752d319d6fac4b8d70e75e61fbb13aa2340b1ba90f1dbe38e6895278bf8c0fcea64598 |
memory/2616-126-0x0000000005A80000-0x0000000005A90000-memory.dmp
memory/2616-125-0x0000000005A80000-0x0000000005A90000-memory.dmp
C:\scream\tenor.gif
| MD5 | 5ae4eda92fa93a801918aad9a86a397c |
| SHA1 | 8ba45bc37e04a80ed4976eb71a717440664f064b |
| SHA256 | 35f4098333e766f164e3b380ade757c9303a704d19acf58ed56ef1dc2e906fc1 |
| SHA512 | 0eee3054c90d4c5994ec1b3ad8da887fa1460e1eb27c0faaca65457c8237da6062a1d13da73fd006030541b60598b03f0d1dd35f8702057d6cc9b07678e12e07 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 3a16ce313f0aedba14943c83ef4a853a |
| SHA1 | e3d635fcf3471a638153e8756da3d3e06cf102f1 |
| SHA256 | 0d6943432a32c38e203c1a2eace24145e470b06d9d73bdf3a82a32955124d00d |
| SHA512 | a89b9b75ca9a0556eff3ddfc202ac17e3d78c2a5334b61a1f97d9aa802234b2bbcb43b20fe2440d45c6a742e69a4032cdae5e92e491d1a5b79fe21cdf475ae6a |
C:\Users\Admin\AppData\Local\Temp\tmpD69F.tmp.bat
| MD5 | 03a4b55377378931f9501efd59bd9c4b |
| SHA1 | 4df7263268d51125c13d005d29f46bcc83d418ec |
| SHA256 | 9bd229bf0312b870a572fc7767290b03df218820cc5967d26751405eedaccba4 |
| SHA512 | 9785572e8c339be6803a3d224ab3da30b0d30134e4754ceda496196381923be36ccf13e633a82c0fbcfea15dd7bb1927258bcf1fb4f692089bf9a86f8d87041d |
memory/4984-147-0x00007FF9EBA30000-0x00007FF9EC4F1000-memory.dmp