Malware Analysis Report

2024-11-16 13:29

Sample ID 240621-by9wgsvdnb
Target c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
SHA256 c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db

Threat Level: Known bad

The file c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Detects Windows executables referencing non-Windows User-Agents

Detects executables packed with SmartAssembly

Command and Scripting Interpreter: PowerShell

Drops startup file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 01:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 01:34

Reported

2024-06-21 01:36

Platform

win7-20240508-en

Max time kernel

135s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.lnk C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.lnk C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db = "C:\\Users\\Admin\\AppData\\Roaming\\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe" C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2684 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe

"C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe"

C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe

"C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe"

C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe

"C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp

Files

memory/2972-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

memory/2972-1-0x00000000010E0000-0x0000000001152000-memory.dmp

memory/2972-2-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2972-3-0x0000000000CD0000-0x0000000000D3A000-memory.dmp

memory/2972-4-0x0000000000A10000-0x0000000000A22000-memory.dmp

memory/2972-5-0x0000000000A20000-0x0000000000A28000-memory.dmp

memory/2972-6-0x0000000000A30000-0x0000000000A3C000-memory.dmp

memory/2972-7-0x0000000004A10000-0x0000000004A66000-memory.dmp

memory/2684-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2684-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2684-18-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2684-22-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2684-20-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2684-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2684-14-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2684-12-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2972-23-0x0000000074C50000-0x000000007533E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ab29029e4940aac33c9c490e9b0cf466
SHA1 f7b2d342691c6a218235571c19affc3a6d027bf3
SHA256 df0df61135c34cc23422327d68ebf797924f68c977bfb2d0df48ace79b6ab365
SHA512 2e22b0585f1ef580ddde5fabe3711879bdd84c82b576ce5cc6fce3be2ad301f2001a5d42d53f2fc3c4994369565687d0b8650cf85c70de602f675c621d4a5d5c

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Roaming\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe

MD5 d9c9bb67226f0cf7ec29fb0dc84b4d90
SHA1 b9bfe67a4df466960f8bcf7602f9765bab2068b4
SHA256 c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db
SHA512 6348a457dab60f2dc4cbc1cca36cf89e9f9b9e08da20879b7910329c49cb214532522385b2634e973eb27845896dee3782a79aa475818724ddec5ac4c0635df5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 01:34

Reported

2024-06-21 01:36

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.lnk C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.lnk C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db = "C:\\Users\\Admin\\AppData\\Roaming\\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe" C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 220 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 220 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 220 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
PID 2860 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe

"C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe"

C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe

"C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe"

C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe

"C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
US 8.8.8.8:53 omirbekov.duckdns.org udp

Files

memory/220-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

memory/220-1-0x00000000002B0000-0x0000000000322000-memory.dmp

memory/220-2-0x0000000005200000-0x00000000057A4000-memory.dmp

memory/220-3-0x0000000004D10000-0x0000000004DA2000-memory.dmp

memory/220-4-0x00000000057B0000-0x0000000005B04000-memory.dmp

memory/220-5-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/220-6-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

memory/220-7-0x0000000005100000-0x000000000519C000-memory.dmp

memory/220-8-0x0000000006040000-0x000000000656C000-memory.dmp

memory/220-9-0x0000000005F70000-0x0000000005FDA000-memory.dmp

memory/220-10-0x0000000005FE0000-0x0000000005FF2000-memory.dmp

memory/220-11-0x0000000006010000-0x0000000006018000-memory.dmp

memory/220-12-0x0000000006020000-0x000000000602C000-memory.dmp

memory/220-13-0x0000000006D70000-0x0000000006DC6000-memory.dmp

memory/2860-14-0x0000000000400000-0x0000000000414000-memory.dmp

memory/220-17-0x00000000751E0000-0x0000000075990000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe.log

MD5 066de00160405ae58bf670a82b983548
SHA1 256973db594068e7f37c3011c4f1c00c515eb5fc
SHA256 e913b51520dab2615dabef13f0abc8f24a9ebd0c84c455dac6cc7811d36f81ea
SHA512 3bc8cf1f1ec78cc5ac1542964d3d64a9de0d45dcd4b95aa0ce242355faa311c5b64db36968b56dc56984227c752b7c8e41a36fffd7e86ebf30feb241542f0c97

memory/2860-18-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/4596-19-0x0000000002390000-0x00000000023C6000-memory.dmp

memory/4596-21-0x0000000004E70000-0x0000000005498000-memory.dmp

memory/4596-20-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/4596-23-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/4596-22-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/4596-24-0x0000000004CE0000-0x0000000004D02000-memory.dmp

memory/4596-25-0x0000000004E00000-0x0000000004E66000-memory.dmp

memory/4596-26-0x0000000005650000-0x00000000056B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pldv52r1.shh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4596-36-0x00000000056C0000-0x0000000005A14000-memory.dmp

memory/4596-37-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

memory/4596-38-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

memory/4596-51-0x0000000006280000-0x000000000629E000-memory.dmp

memory/4596-41-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/4596-40-0x0000000070FD0000-0x000000007101C000-memory.dmp

memory/4596-39-0x0000000006C70000-0x0000000006CA2000-memory.dmp

memory/4596-52-0x0000000006EB0000-0x0000000006F53000-memory.dmp

memory/4596-53-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/4596-54-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/4596-56-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

memory/4596-55-0x0000000007610000-0x0000000007C8A000-memory.dmp

memory/4596-57-0x0000000007040000-0x000000000704A000-memory.dmp

memory/4596-58-0x0000000007250000-0x00000000072E6000-memory.dmp

memory/4596-59-0x00000000071D0000-0x00000000071E1000-memory.dmp

memory/4596-69-0x0000000007200000-0x000000000720E000-memory.dmp

memory/4596-70-0x0000000007210000-0x0000000007224000-memory.dmp

memory/4596-71-0x0000000007310000-0x000000000732A000-memory.dmp

memory/4596-72-0x00000000072F0000-0x00000000072F8000-memory.dmp

memory/4596-75-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/3988-76-0x0000000070FD0000-0x000000007101C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 80a185913025bb2982176b5e16ff0487
SHA1 20057199a202e0feb183d201759f93563a62e6ba
SHA256 f87ac3937fc84b6a8437b249162cc629aff87edea65b46e67b8d66515e1d5e3e
SHA512 8333f35c926d7ec7cfc35fe895385656444b57f8b29abaff65a2ed3f85277ea79ea9707b94ad78eca69fd80244fad639c6b28705ad4cef5279e5d651cfc88fb3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3036-98-0x0000000006300000-0x0000000006654000-memory.dmp

memory/3036-100-0x00000000069D0000-0x0000000006A1C000-memory.dmp

memory/3036-101-0x0000000071760000-0x00000000717AC000-memory.dmp

memory/3036-111-0x0000000007AF0000-0x0000000007B93000-memory.dmp

memory/3036-112-0x0000000007D90000-0x0000000007DA1000-memory.dmp

memory/3036-113-0x0000000007DF0000-0x0000000007E04000-memory.dmp

memory/1824-121-0x0000000005DC0000-0x0000000006114000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3f0c4a6dd02f2c0accfb434443d79c09
SHA1 43fa6522ecb3b080feae97f6e54113d29cdea281
SHA256 784811138b6e255a02211ca6d50e1a6070a6262c1733fe68fcfa457433b0ad90
SHA512 ef4f0375f34357d4851817b9dda12224b0b3475aea32ba42ecf27d14476bc552e84ab3ba97dbb09becfc82d109a2dcbf85603879c46ea20dd256d1bd14d6da16

memory/1824-126-0x0000000006470000-0x00000000064BC000-memory.dmp

memory/1824-127-0x0000000071110000-0x000000007115C000-memory.dmp

memory/1824-137-0x0000000007670000-0x0000000007713000-memory.dmp

memory/1824-138-0x0000000007960000-0x0000000007971000-memory.dmp

memory/1824-139-0x0000000007990000-0x00000000079A4000-memory.dmp

memory/2860-147-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/2860-148-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/2860-149-0x00000000751E0000-0x0000000075990000-memory.dmp