Analysis Overview
SHA256
733cef3e9946378bf9f84d6f19cf1ea8c696d98a759838eb88e0673f21ad8730
Threat Level: Known bad
The file Bezpieczny Plik.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Contains code to disable Windows Defender
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Checks computer location settings
Executes dropped EXE
Drops startup file
Enumerates connected drives
Adds Run key to start application
Looks up external IP address via web service
Sets desktop wallpaper using registry
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 20:14
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 20:14
Reported
2024-06-20 20:22
Platform
win7-20240611-en
Max time kernel
464s
Max time network
471s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender.exe" | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008a9a9b4fc3da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C67EDAA1-2F42-11EF-9E55-E6415F422194} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000005c63fa9519fb7bb1639660f463a6cdebe062b770efc252828245506d503409f000000000e8000000002000020000000b6156aac3451162e6731cbeafec666a97856471d089171f7252da24613ab454b90000000015e572a6196e5423cca4c15caf58a7d480e2ce065b41d6bdc530fd560eb3d4390c584df06e353fbca02ae62c790d3a8f22b957a6d29a0355e49e8d1b8c02b2e928842706973b479ebf09a07e16a7e1b7948c28b215e92719ed2c712c64cefd535c0457bdbc524ff312ae1bc693f501b43c58975b2b67a64739de60d535f76f4e53c3016ab6a57480da171cfffed1d2940000000e0013f75f6cd99aba557b692714be2ba4d13357ef1ceb2f67b4cf7ad3fe96292307470639a44cfe8f6b9f9badcf9ab38b5600820d4de5d690d7f6362806cee89 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000aaf8947392313e51ad2ab4af68647f552a6ab1a02ba6c986bd27f980dd24829b000000000e8000000002000020000000c7c73f64a85ad3bf5aace548120d7a48f9cbdf5a2f45c1c9908647db113938b420000000669d5de58785efd61203a6d7ec91fe3d6e5ea7e843c9a7451bab36fdfaf55e974000000008511d432582098cba44146b8306b2ff9c2568d3130b3c21dfd5c9637ad0553aff518032be72190f373f4aca640c111ca3d1dadb27c05febf7b02a302b7c1069 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe
"C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Bezpieczny Plik.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {FB1EC592-7FDF-4875-859D-E95215B036C4} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1072 CREDAT:275457 /prefetch:2
C:\Windows\system32\shutdown.exe
shutdown.exe /f /s /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | remember-sail.gl.at.ply.gg | udp |
| US | 147.185.221.20:33823 | remember-sail.gl.at.ply.gg | tcp |
| US | 147.185.221.20:33823 | remember-sail.gl.at.ply.gg | tcp |
| US | 147.185.221.20:33823 | remember-sail.gl.at.ply.gg | tcp |
Files
memory/1440-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp
memory/1440-1-0x0000000000C90000-0x0000000000CC2000-memory.dmp
memory/1440-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
memory/2800-7-0x000000001B270000-0x000000001B552000-memory.dmp
memory/2800-8-0x0000000002490000-0x0000000002498000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 701a1d61b87e57e83ecf600f5e89297a |
| SHA1 | 0f993c8e5587144870d024b60e2cc27e9b09d643 |
| SHA256 | 134b943bedb33e4f7625c079fcaa1ffaea1b9903c1f7c97fcaf4579b12a24fe7 |
| SHA512 | b5c7dd2378bee0f5f8d6492b7ff61d3b6ef1f51a99334a676280b883b09c0580e8921c252b6aa658d9853831081cc9dabc37a9b64496a3e53ac6425aa03dfc44 |
memory/2632-14-0x000000001B470000-0x000000001B752000-memory.dmp
memory/2632-15-0x0000000001EA0000-0x0000000001EA8000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1440-31-0x000007FEF5973000-0x000007FEF5974000-memory.dmp
memory/1440-32-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
memory/1440-34-0x000000001A7F0000-0x000000001A7FC000-memory.dmp
memory/1440-35-0x000000001AC40000-0x000000001AC4E000-memory.dmp
memory/1440-36-0x000000001AC50000-0x000000001AC5A000-memory.dmp
memory/1440-37-0x000000001B0B0000-0x000000001B0BC000-memory.dmp
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
| MD5 | 5c088134b8d44512417f3c0c5b5e0b28 |
| SHA1 | 9fa38efde1cf2b2f30746e1524d12c6f188068a8 |
| SHA256 | 65ccc62d0c35f7f700c9801ef817968ad89f6d711897361b62d5556234387d74 |
| SHA512 | 3d01738706d99d989a63caac5de5fd4fbc2a062949437231e29a54a74f2912e5f042c1476be135be5eeafb1dc222441cf4ad67ea8ad443bde59566ff1186859c |
C:\Users\Admin\Desktop\How To Decrypt My Files.html
| MD5 | 67a803ecf30cb281b5944055eab437bd |
| SHA1 | 6f4aeded87fcc7607cb959830bfd55866effcff6 |
| SHA256 | 755f39cdc15a4a15ff6a5243831f32881f3c5b0517eba5951d234ac737300566 |
| SHA512 | 56bc98d95ef24bfe513bbbed6faae771f0420e64b1c2e230553519e4c8480e898268a5c679bf9d8b818e0a1a22c1edd98ce4ecf7a9ea03c213b14738c27ead60 |
C:\Users\Admin\AppData\Local\Temp\CabC32.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCF2.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | def3e184f81f09ce59a01cf7a7cb24db |
| SHA1 | a1b6dfa1258ace49ae5d99fa68248869ab16b2b3 |
| SHA256 | 19621d1cf1ddb5ea54ef9dbf6f5e93162c5e179b276961747cca0273711cc39d |
| SHA512 | b0de4b4cb24d97c5dedeaf80ba9d240f264c87683eaafc61de7959d2e5bf6ab9268c39c67c37d59f9222c2ac8a3ee7312404d0724688525a3452502db06d9632 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e20197cfe7d597dcbfaa5376cd74588e |
| SHA1 | 56a631fce7b82bbdafb76d643d9bc2e53977c839 |
| SHA256 | 41b3f7b73ada3be2983dde01be1b6975c856ff73450a244cc3acd3925ee6f930 |
| SHA512 | 5ee5b643e243f71975e8a50679f37f91906eedc302de84f1dba598c7bff18ee005e078a7252baa4cccf2041bf0c9330f516ba9846ff839f461a70a8a27472d0d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 193568ac33eccb47fc770fe2f5313160 |
| SHA1 | 779c914c76b592ef7f2c4e45efe47fc93b4154df |
| SHA256 | 926559176a3b93d68a6b483ff2888bf390fbc8ce618e157ab7d9f5adf098c5bd |
| SHA512 | 122199ed43729b2d0d577472b16d92db0d5bae913c2a6ee05e17ebde2b79a311ed1fe2de80ee314566004f22d2d364ede59f839d713d1578b4abe602af0b69ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 901fd4e6b925a29aa38e1342e330c4f4 |
| SHA1 | c442f6b2e82733d5fa3e7fbe68ba6490375f8a32 |
| SHA256 | 3f9ad41f87dc63fe0f1a3a9243ee34710a1a98b3a00e18d5d1dd244aa49a4d19 |
| SHA512 | 66068d55c3e1f4fd46a535ed8552041e7710b1110e07b6e5079590991a725481aa6585e899d8b1c8c1944ff3cbd24b1e42287834c689c7d9c3f320358e1390b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d5735e8c8878563bf4d94778c085d405 |
| SHA1 | bd8698b33a3397fd84411ff2e7642d5032d68f81 |
| SHA256 | cfe8ffec1840150ebae99bc9d89f9e71cbf4c0169998073bc01a684a6c4d65e5 |
| SHA512 | 0d20477cdb71d052251ac04d7acb107eff4f6de36d6f66e736870c05e5c3b1b4026e84e4705f492445a0dd85e18e7e31f7f2b0dc6af21bff506c7f5fe940c538 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 06dbe8bdc22314888ebbba501dc2b22f |
| SHA1 | 336e59f8704998fdb59c263a35de56f19bd476f3 |
| SHA256 | fdf4cce931df9bdca68c881ae1b3736f27f7148606546cf745066fa7b486a266 |
| SHA512 | db4b451a95803aae52ed01e70dd787ccab04e0b49949170b0e69cb1fbe9ac146c998940cff9b048aa6e9e9058323e91095809a3bc0af8cf865db7e9cc4858d4d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a1bd045a7efcb393ce0b441f6f341a0 |
| SHA1 | ed4292da0e8d30c2783e190e8cc3da8b2a195b75 |
| SHA256 | 3b7e822abe9c577263684b927f979fcece46953506d139cbffbc62ec5c2e609a |
| SHA512 | c65890ea8b47a3e3e4635d282c758290187be72f9255d825d60bcc3714143e756e35c7cc4c6f12ec0b105aa66d9dcb0c3db9715d193d0c0daf753147085236de |
memory/1440-668-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 20:14
Reported
2024-06-20 20:22
Platform
win10v2004-20240611-en
Max time kernel
465s
Max time network
472s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender.exe" | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\a: | C:\Windows\system32\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe
"C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Bezpieczny Plik.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbxxcm.bat" "
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2832,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=1376,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=1384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3668,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=4804 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5360,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5528,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5540,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
C:\Windows\SYSTEM32\shutdown.exe
shutdown.exe /f /s /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38d8055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:33823 | tcp | |
| US | 8.8.8.8:53 | remember-sail.gl.at.ply.gg | udp |
| US | 147.185.221.20:33823 | remember-sail.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.242.123.52.in-addr.arpa | udp |
| US | 147.185.221.20:33823 | remember-sail.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | 56.104.245.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 2.20.12.87:443 | bzib.nelreports.net | tcp |
| GB | 2.21.189.233:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.12.20.2.in-addr.arpa | udp |
Files
memory/3500-0-0x00007FFC79173000-0x00007FFC79175000-memory.dmp
memory/3500-1-0x0000000000770000-0x00000000007A2000-memory.dmp
memory/3500-2-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp
memory/1164-8-0x0000018DA0FB0000-0x0000018DA0FD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0gqnmqq.kok.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1164-13-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp
memory/1164-14-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp
memory/1164-15-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp
memory/1164-18-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2979eabc783eaca50de7be23dd4eafcf |
| SHA1 | d709ce5f3a06b7958a67e20870bfd95b83cad2ea |
| SHA256 | 006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903 |
| SHA512 | 92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10890cda4b6eab618e926c4118ab0647 |
| SHA1 | 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d |
| SHA256 | 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14 |
| SHA512 | a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 60945d1a2e48da37d4ce8d9c56b6845a |
| SHA1 | 83e80a6acbeb44b68b0da00b139471f428a9d6c1 |
| SHA256 | 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3 |
| SHA512 | 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed |
memory/3500-57-0x00007FFC79173000-0x00007FFC79175000-memory.dmp
memory/3500-58-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
| MD5 | 60159d1426f5bbd7c7de39beb0045da1 |
| SHA1 | fb161b3cc263337dd116a3b1de699c5ba348308d |
| SHA256 | 733cef3e9946378bf9f84d6f19cf1ea8c696d98a759838eb88e0673f21ad8730 |
| SHA512 | 6285f771484a8d430a864cad7f75457f04c07eddb420c678f9060ff6de5bab8921b8b5f9e8bc1318817677f3e71ab301cb4766d54e112f0c7a3dc97daa2f33ea |
C:\Users\Admin\AppData\Local\Temp\dbxxcm.bat
| MD5 | 5a0044fb674fde17aaef6aa5cec860ec |
| SHA1 | e589f24b6f840cbe5bb9495f6d6261766d5c791c |
| SHA256 | d5090e4b5fa48b21108c7a5711fa8ce484f45f88b7264a5467e32f493c8437de |
| SHA512 | 46db229454b0debb8e9a9f559c117896fe6a0025f4015b61efb716f326b7a8f6b951cf086a3b049bd674516a78b45685487e5adde7a71b68819cddfa63b497aa |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/3500-71-0x0000000002930000-0x000000000293A000-memory.dmp
memory/3500-72-0x000000001BCC0000-0x000000001BCD2000-memory.dmp
memory/3500-76-0x000000001BCA0000-0x000000001BCAC000-memory.dmp
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
| MD5 | e6899d047e74fbaee76bc9b05e321645 |
| SHA1 | 30f607b0f013858070b27dfb44c88ea13a9e9e9d |
| SHA256 | ea5c8c2e4f5f1e901bbd119874e3af341e97a8b7e5cc5c1399fc45f6e5d5ae0d |
| SHA512 | 988a6488a667550e1e71e8bf2fc614d257ff36d55cb1a57efbc9ec1554046cbce62b35043c8ffae3e811471e6b4b82be5d65ce5f5130ecb6ade11d5ad6be9f5d |
memory/3500-272-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp