Analysis Overview
SHA256
5bedf797ee31c036c5fe24a2bbb51e9c916a5df1adeaf4f1e2612034b6e52ae8
Threat Level: Known bad
The file XClient (1).exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
ModiLoader, DBatLoader
Detect Xworm Payload
Xworm
Ramnit
ModiLoader Second Stage
Command and Scripting Interpreter: PowerShell
Drops startup file
Checks computer location settings
Executes dropped EXE
ASPack v2.12-2.42
UPX packed file
Looks up external IP address via web service
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 19:33
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 19:33
Reported
2024-06-15 19:38
Platform
win10-20240404-en
Max time kernel
298s
Max time network
301s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ModiLoader, DBatLoader
Ramnit
Xworm
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cdgpks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qkripg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hppemw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jmkryq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qyhsdp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zyqywe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\maigns.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\maignsSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\WScript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px5A03.tmp | C:\Users\Admin\AppData\Local\Temp\maignsSrv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\maignsSrv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\maignsSrv.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B5F30EB7-2B4E-11EF-B03F-4A72145DDB9E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\System32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\jmkryq.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\qyhsdp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\zyqywe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cdgpks.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\XClient (1).exe
"C:\Users\Admin\AppData\Local\Temp\XClient (1).exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient (1).exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient (1).exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Users\Admin\AppData\Local\Temp\cdgpks.exe
"C:\Users\Admin\AppData\Local\Temp\cdgpks.exe"
C:\Users\Admin\AppData\Local\Temp\qkripg.exe
"C:\Users\Admin\AppData\Local\Temp\qkripg.exe"
C:\Users\Admin\AppData\Local\Temp\hppemw.exe
"C:\Users\Admin\AppData\Local\Temp\hppemw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\287D.tmp\287E.tmp\287F.bat C:\Users\Admin\AppData\Local\Temp\hppemw.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\g.VBS"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a8
C:\Users\Admin\AppData\Local\Temp\jmkryq.exe
"C:\Users\Admin\AppData\Local\Temp\jmkryq.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"
C:\Users\Admin\AppData\Local\Temp\qyhsdp.exe
"C:\Users\Admin\AppData\Local\Temp\qyhsdp.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\loll.VBS"
C:\Users\Admin\AppData\Local\Temp\zyqywe.exe
"C:\Users\Admin\AppData\Local\Temp\zyqywe.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"
C:\Users\Admin\AppData\Local\Temp\maigns.exe
"C:\Users\Admin\AppData\Local\Temp\maigns.exe"
C:\Users\Admin\AppData\Local\Temp\maignsSrv.exe
C:\Users\Admin\AppData\Local\Temp\maignsSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4616 CREDAT:82945 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | restaurant-equation.gl.at.ply.gg | udp |
| US | 147.185.221.20:23887 | restaurant-equation.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.20:23887 | restaurant-equation.gl.at.ply.gg | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
Files
memory/3748-0-0x0000000000EA0000-0x0000000000ED6000-memory.dmp
memory/3748-1-0x00007FFFB6A63000-0x00007FFFB6A64000-memory.dmp
memory/3748-2-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp
memory/2340-7-0x0000018877D30000-0x0000018877D52000-memory.dmp
memory/2340-8-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp
memory/2340-10-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp
memory/2340-13-0x0000018878000000-0x0000018878076000-memory.dmp
memory/2340-12-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmv5o4pq.quh.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2340-51-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fc9c1d170089ec115d99cf6cd563ef2e |
| SHA1 | 08e1ec0454a12751d42b2e1ec3010e5a298e3774 |
| SHA256 | 0e5cd56e2a6c2a9c95b758cc17dd165e98a97dc4a725e7ccb7049d88d5682305 |
| SHA512 | 62a5a77c0526ae51762f6b5ea5058a9792da5e4c872faaa0b2c05acf10581b43a220e3b607b98626ca709fa3c16673fa6bb29136863ff697c08b3eba75528e4d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3955d902a0d1031670335d3c80c05095 |
| SHA1 | 3952f9bde95133f5bb5f808aca3c7f08da4332f4 |
| SHA256 | 4930aa317fc07c258abafb682ea05c55a2398471438a344cd25d1e34faf9ca3b |
| SHA512 | 445addc345ae2b7f89fc3fe63eca4a95e20d0022410023c25bf0064b8d6a873f6d807d76a800c87f2b638a95f46f18170ef4d74ad34d7f342b0a5d67b830507b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 784737393e6208d28ebaf76489fb806a |
| SHA1 | 9db33bf3b2f653354701c9675186a90548f90990 |
| SHA256 | 8014c2d4ee16fd194c1db17f3176694462529c562db910d6e191e7fb21442e40 |
| SHA512 | 0f80e4f92a5599b4cf7f9eb304abbfe3502e18d509fbda79944c2b6533945a8257683feb0c2563661b8c1cd2a8f9e00e4620fdf68d8d9140b2d02dbf25e57409 |
memory/3748-185-0x000000001BB90000-0x000000001BB9C000-memory.dmp
memory/3748-186-0x00007FFFB6A63000-0x00007FFFB6A64000-memory.dmp
memory/3748-187-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cdgpks.exe
| MD5 | 9729d33f5cc788e9c1930bcc968acffa |
| SHA1 | 68c662875f7b805dd6f246919d406c8d92158073 |
| SHA256 | 3711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae |
| SHA512 | af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f |
memory/4324-193-0x0000000000400000-0x0000000000671000-memory.dmp
memory/4324-195-0x0000000000400000-0x0000000000671000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qkripg.exe
| MD5 | 81dd862410af80c9d2717af912778332 |
| SHA1 | 8f1df476f58441db5973ccfdc211c8680808ffe1 |
| SHA256 | 60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f |
| SHA512 | 8dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15 |
memory/2300-201-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2300-202-0x0000000000400000-0x0000000000545000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hppemw.exe
| MD5 | 71b95442443e68968a6b57695b0a7c3a |
| SHA1 | 9c6704a948d1738c152d6b2eb661802aa5238490 |
| SHA256 | 96ba623b49bc0e546b7c0d66a0cfeb457cdb882700ceacc424468cf4998ec5bc |
| SHA512 | 1a7769780611876c7fa32ba8f204c22df8c0a73a792544c59203775212572358c5cce52e8f9973a1fb4c97d0bc9861b79c40c243c56242d8a33918fe95be0fd6 |
memory/4828-208-0x0000000000400000-0x00000000004D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\287D.tmp\287E.tmp\287F.bat
| MD5 | f7797a987e496cd654125fe3bac95c14 |
| SHA1 | 7cba1d358434ca024a7180b773f9f0f144b918f9 |
| SHA256 | 0fea6030305df43e8555f79806142eee57f3df68476ba3de9713c0cdc12d96c0 |
| SHA512 | f9aead43b503882eca3b33775e38f287e4c541b17f2338f5324720a7a550f83cba9bc9a5420c32c33192dff076b2fedfe2f9e0963174253b306e6fc3c68926f4 |
C:\Users\Admin\AppData\Roaming\g.VBS
| MD5 | 2a8ff4a916ef8c709834ca6c01a9b82b |
| SHA1 | 293199e83a300133444bec524fa8554a6650f44d |
| SHA256 | bb44658dfa13b55f495d85cfdd6d41d51cf0c5cf92e476ef5f795a01974ca66d |
| SHA512 | a9d4233b020129071acab6f702c95aa86a6c5bf60ac7b4df8ed71e7424933d11d689417c838574d33c1a0a8f1d96591d700840793ac3f50e1565c88352d236ed |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Roaming\99.mp3
| MD5 | b8b28136f2f3368edf2328945976d086 |
| SHA1 | ccb5bec232adc415da187b114913429d613a252b |
| SHA256 | 26429917113c9880cc48fb382a82ce301112270b6133a6a57b0b48c47839cbc8 |
| SHA512 | 7909f5d0853701f1415f445304b54375a7e6011e112f489b39ee48578664ba9b1f3ce217c429236c25d9e1beb916d7762d8a05437d40eb31a61efe376e21446c |
memory/4828-235-0x0000000000400000-0x00000000004D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jmkryq.exe
| MD5 | 8a3bf66a46bf5345fe616ae6dac00774 |
| SHA1 | da5745ed1c1fb3d99383354d90c385c44f2b5b85 |
| SHA256 | d4dc7e1ad2744954648662db97aa8a924e1531143bc01cf6bf8c9fea87240306 |
| SHA512 | 92b362583bcf3fd287554641c9b8938cf7f923aef948ae77f3959aa20d199650cddaaabfa0fe9eba85a46cd5501632cab517124b5812d7e6b8b03c2ba23cca63 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS
| MD5 | 3ac977603b68218710eac66b97eb4265 |
| SHA1 | 83b1871c607026e008cf5133ca6e168fbbb19700 |
| SHA256 | 6242be8be9eea566bd2051b66730e9c71364c3d9b8bba1f487012ce9d9e5840a |
| SHA512 | fbf6216ec476a8f66c7fe6e4798362d69c55e39917dd070cc8a4e7575315f4dc32ac794435f01395ee6daccc9bbf6f209d9ff53259c7d8c3d2f29420efb233e1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jphpapfa.mp3
| MD5 | 3b07c464b0b9ebc7e8d4bcc12b208eef |
| SHA1 | f3e633ee38debc09c673b2b88a21689a472500ab |
| SHA256 | c1b7d1a7d457cf1aada7b7cb1ecc50a1f64fa4957d4667277144a712160adb67 |
| SHA512 | c6587eb19a8bd4ba941f50519f2c66a9e04c46a8f31f8253b26e5bc65346ac7bb0d31f46ff1bd3ac8cef40730d5f1984e014bd795ee512c2696eae2c8c14b626 |
memory/1316-257-0x0000000006700000-0x0000000006710000-memory.dmp
memory/1316-258-0x0000000006700000-0x0000000006710000-memory.dmp
memory/1316-259-0x0000000006700000-0x0000000006710000-memory.dmp
memory/1316-260-0x0000000006700000-0x0000000006710000-memory.dmp
memory/1316-261-0x0000000006700000-0x0000000006710000-memory.dmp
memory/1316-262-0x0000000006700000-0x0000000006710000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 4eae25a96295a5e0b02990bb40589c55 |
| SHA1 | 3cdb19fffe5c36809bf8eeeeaf0fece9bd564068 |
| SHA256 | 3ca54d4307a8f9abb10727dc629c190b931e2b279fb2a032c193dca5f0a81809 |
| SHA512 | d80818ed9f66c721f3d27a8133413154077a1b2b97f2567939547576368f855fdbf3bd1bfb284dbc11bc42c8bd4fe749af9d311f50110aafb3624e4ef6dc3802 |
C:\Users\Admin\AppData\Local\Temp\qyhsdp.exe
| MD5 | 4f57c1b3d49a55b68debe9574693f431 |
| SHA1 | e60b361ec5b90e9da0d3706063506c000022209f |
| SHA256 | 9a97ee81a6fb9bf27533a25976a9c8c8f27d46eaa0042fd803ef1debd93a278b |
| SHA512 | 24632c82081770311258c09e91992d21c3531ca91548aec52de79d47a579ead75764f8335aa0bcd4b987b3ebdb5fbf301c98c4830965fcf28297b4ff33a1458a |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\loll.VBS
| MD5 | 06056eda2f8d8f6f4d521fe647bc9049 |
| SHA1 | ab2a4e7dc9e9832133e31ef2ca33b54371eef1a9 |
| SHA256 | 153e62ddf2efc99cdb89397e9691e2671d2be58b17304503861f31ef3f9d1e8c |
| SHA512 | 720b203921497b3e810d18f532de5f8e5dac36c1c65a62b356a40381f94d1adb8f8e299b82ccd7bf5f5cc6a137c2f2547494c858a6251a57b9bb75c3d8326901 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Jopa.mp3
| MD5 | bcb5ce62d94dce97f7e4dbeb22e80a83 |
| SHA1 | 3b228f34cf934dffea6401b1e5a393f4cc1477bb |
| SHA256 | 0696db7d3aa8c5cc36d3934c81ab286f24d28fb32f565713d78c035c9180c30e |
| SHA512 | a169595173b1bb48ddaee030bacf7d3329ab77bb8c788fb67e97940a2a686bb427e10c24b6bab9dbb347d46d056fbd4862e2a52fc9d826fd9f9eddc60be13a86 |
memory/3428-290-0x0000000006650000-0x0000000006660000-memory.dmp
memory/3428-292-0x0000000006650000-0x0000000006660000-memory.dmp
memory/3428-293-0x0000000006650000-0x0000000006660000-memory.dmp
memory/3428-291-0x0000000006650000-0x0000000006660000-memory.dmp
memory/3428-294-0x0000000006650000-0x0000000006660000-memory.dmp
memory/3428-295-0x0000000006650000-0x0000000006660000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zyqywe.exe
| MD5 | 3773ae2f5f86f604c72ce4521b5714ec |
| SHA1 | cc322fade592e0425340a995f65dd1096adc3af3 |
| SHA256 | e9e4c0ab3d45ba5904b96770f74a472d43e0836d6f60785aaf4aedded122f12b |
| SHA512 | 5f76d153d791f2542a1b6c65d39703b6b716cb332cb75b8549367768101f753f934d1ff028df349880648dd0db84253a54e28200d258fe5aae5dbd278c54faac |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS
| MD5 | 8d36eace2a2d6de198f8d3ce08cd5d43 |
| SHA1 | 062ddedee70d8d7c3308d88d68aa0ea3789d4fea |
| SHA256 | 9b9fef32319fe3f63862dd3cd249aca47d19cc84e3b1cba7cfc119a7b10b5f67 |
| SHA512 | ab9ab006e1f18b14261f53c0be30e95e0dc2849f361264f63a0d77a5709a9120bd288629acddb4764af0f67b3500ab94756975fa43efd159f80ff9a47eee21cf |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\prj_13227446_af964180a02e2e666da4b3b2b9b1122f_1655137951.mp3
| MD5 | 7f78fe7fe746e41a567826883b819d54 |
| SHA1 | 55b459838e2360e4b99a81ac8e41d927fa37dcee |
| SHA256 | 17f5f3a89aa9cb04d62a9c2783d4298d7ecbe2bef15187aca88d65c11465a174 |
| SHA512 | d96d7cc9d7dab6ba0d2d57607b23419aabfb61f88787c708839420a4d5f216db79a013c5832b174393398120989cf539aeb288c7537e7c47039feb8203b22cb6 |
memory/2972-314-0x0000000005C30000-0x0000000005C40000-memory.dmp
memory/2972-313-0x0000000005C30000-0x0000000005C40000-memory.dmp
memory/2972-312-0x0000000005C30000-0x0000000005C40000-memory.dmp
memory/2972-311-0x0000000005C30000-0x0000000005C40000-memory.dmp
memory/2972-315-0x0000000005C30000-0x0000000005C40000-memory.dmp
memory/2972-316-0x0000000005C30000-0x0000000005C40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 84481deee56dd1b6a7d314a4c59210a9 |
| SHA1 | cc529d8fc230db433cc8c2cd57174c8963cfdc4d |
| SHA256 | 0cf8ac35941b2b2bb618576dced6b2a99106ca2544ef0964bf60d73e5485e124 |
| SHA512 | f4654ce5f2e13b6ba5876d4b62bfc19bf5a5d8b7879dabee15a8fc289c0a634ddc8e840c302e48d652f84f49692729d2397c75f805d7e4693cad5648f723cf3a |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\maigns.exe
| MD5 | 7eb8c9c1701f6b347721b42ba15c0993 |
| SHA1 | 13e62637aa5c402383f5665d20c7491c51bccbdc |
| SHA256 | 6d5e92ccc9d65e02d8f805e3f4e33841db34a562b3c882a137146461a56bdec2 |
| SHA512 | 22572a6ebf16b5e260c5d99f30aaefabd88a143bc6b6a9a4d7b82a31ffeb7970d3701c697fcb4c692c6f450782982f3e43f74e3b01fe3ebf1957fc0ef0a4a072 |
memory/4476-323-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\maignsSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/4396-330-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4876-335-0x0000000000540000-0x0000000000541000-memory.dmp
memory/4396-336-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4876-337-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4876-339-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4476-350-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4476-353-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 19:33
Reported
2024-06-15 19:38
Platform
win10v2004-20240508-en
Max time kernel
300s
Max time network
53s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient (1).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\XClient (1).exe
"C:\Users\Admin\AppData\Local\Temp\XClient (1).exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient (1).exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient (1).exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | restaurant-equation.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1928-0-0x00007FF8AF063000-0x00007FF8AF065000-memory.dmp
memory/1928-1-0x0000000000090000-0x00000000000C6000-memory.dmp
memory/1928-2-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agt33k1z.nii.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3248-12-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp
memory/3248-14-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp
memory/3248-13-0x0000029676EA0000-0x0000029676EC2000-memory.dmp
memory/3248-15-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp
memory/3248-18-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d14ccefeb263594e60b1765e131f7a3 |
| SHA1 | 4a9ebdc0dff58645406c40b7b140e1b174756721 |
| SHA256 | 57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c |
| SHA512 | 2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e58749a7a1826f6ea62df1e2ef63a32b |
| SHA1 | c0bca21658b8be4f37b71eec9578bfefa44f862d |
| SHA256 | 0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93 |
| SHA512 | 4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70 |
memory/1928-57-0x00007FF8AF063000-0x00007FF8AF065000-memory.dmp
memory/1928-58-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp