Analysis

  • max time kernel
    138s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-03-2024 13:29

General

  • Target

    XClient.rar

  • Size

    40KB

  • MD5

    f6fe2b78efab65e5ed501ee5f2f9d556

  • SHA1

    36add79d625076f8341be0ac6161666a63144425

  • SHA256

    22adaea01c871a2dcc4dac36e4590ba5418ff0c487a8583eeda00d852b763647

  • SHA512

    eae214be1ea131f5aeff1ffce9852b38f2320d5367020ceb39de1abde3ad6f002e7d4ab4eb3bf12a3d4d45fdd052dd25bbbfa6c63a499ea664a3628c2af350e2

  • SSDEEP

    768:gXC6/UZqhWl5z0NAVH9QQzgVX/sjrCX2FQuz3n2sH994XiRqyrtVWEN91zvZBm:gXirKAVH9XgB1X2Fp2sdSgTZYEN9g

Malware Config

Extracted

Family

xworm

C2

discussion-wanted.gl.at.ply.gg:5861

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Detect ZGRat V1 6 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 12 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\XClient.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XClient.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:592
        • C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe
          "C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1556
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Blockperf\SsxsOgj7UItOyP.vbe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1988
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Blockperf\W03a7eRByVe59tEfoEn5p9hfLGE7liRC1WwfhocqTKwXnqoCeIu86OnqQ.bat" "
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2216
              • C:\Blockperf\BlockDhcp.exe
                "C:\Blockperf/BlockDhcp.exe"
                7⤵
                • Modifies WinLogon for persistence
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2024
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvzplhmv\qvzplhmv.cmdline"
                  8⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:672
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41E0.tmp" "c:\Windows\System32\CSCAE0E7A127EB44DC3857F28A972F19EAC.TMP"
                    9⤵
                      PID:1096
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\lsm.exe'
                    8⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:620
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'
                    8⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1680
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'
                    8⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1544
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'
                    8⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1572
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'
                    8⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1156
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Blockperf\BlockDhcp.exe'
                    8⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2028
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5qBi1Kjer8.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1984
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      9⤵
                        PID:2292
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:1288
                        • C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe
                          "C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2940
        • C:\Users\Admin\Desktop\XClient.exe
          "C:\Users\Admin\Desktop\XClient.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1728
        • C:\Users\Admin\Desktop\XClient.exe
          "C:\Users\Admin\Desktop\XClient.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1684
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1752
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\tracing\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1724
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2556
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1472
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1688
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2756
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2880
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2768
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BlockDhcpB" /sc MINUTE /mo 9 /tr "'C:\Blockperf\BlockDhcp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3020
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BlockDhcp" /sc ONLOGON /tr "'C:\Blockperf\BlockDhcp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2960
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BlockDhcpB" /sc MINUTE /mo 10 /tr "'C:\Blockperf\BlockDhcp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1804
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          1⤵
          • Enumerates system info in registry
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1900
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7109758,0x7fef7109768,0x7fef7109778
            2⤵
              PID:2824
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=284 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:2
              2⤵
                PID:1604
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:8
                2⤵
                  PID:2712
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:8
                  2⤵
                    PID:2680
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:1
                    2⤵
                      PID:2348
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:1
                      2⤵
                        PID:1612
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=988 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:2
                        2⤵
                          PID:2320
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3228 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:1
                          2⤵
                            PID:2688
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3888 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:8
                            2⤵
                              PID:2784
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3964 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:1
                              2⤵
                                PID:2752
                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                              1⤵
                                PID:332

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Blockperf\BlockDhcp.exe

                                Filesize

                                1.9MB

                                MD5

                                885ad16db4188802c438079fef3e24bf

                                SHA1

                                8f941a38471c9ad803a5f79ada6fe88c0bcebe1b

                                SHA256

                                581d9667e6d2b6fa9c5630f72a5bfe24622719ab0adce77c5ac3f207af871b5c

                                SHA512

                                54e17934a19994b847070705741e3b10c4145b6e9b940a563ab0835b4975cb091afbd783e48a981abd84c1b684ea8c4abfd08a83469b2580058a1f9c1959ec55

                              • C:\Blockperf\BlockDhcp.exe

                                Filesize

                                1.2MB

                                MD5

                                404c42b1d69843238b60cb02900199c2

                                SHA1

                                3a157c1860640757fda1dd8c21bae48d23109a75

                                SHA256

                                d3618dd3842ee12a3716a6b9aada892d9eaa65203710d720e77ed2a47d24d2a9

                                SHA512

                                139f24cc59a1ab27f6297204b104a8f8fd2411c14bd748b5cb9b039432841be9a8be3ffd951f89006d8fe9e7ba11d78b6668e49eb2fc327f7a57347789f91f38

                              • C:\Blockperf\SsxsOgj7UItOyP.vbe

                                Filesize

                                256B

                                MD5

                                7bd4ae5733494fe9888a9fb6cc6212b6

                                SHA1

                                155ea81b368875d5015e49b11b7ccdb9458505bd

                                SHA256

                                00fafff153878b3bc60ab36aafda3d2fccbab69c728153733fcf857016c93d50

                                SHA512

                                c573019171da281cf08d64dfdec1f71ba444819f1f444021543296cdb3fe8225e024895294ca0856e588d20789cd763d65ffbd4a0ba5a5ecc645bda2e0080664

                              • C:\Blockperf\W03a7eRByVe59tEfoEn5p9hfLGE7liRC1WwfhocqTKwXnqoCeIu86OnqQ.bat

                                Filesize

                                91B

                                MD5

                                1d4c24d719063e18d59f87ad8b86f7f0

                                SHA1

                                16e96049b02c4ac6017ea616e9419764da32feb9

                                SHA256

                                1fe35093cfbf50d0d702dc90e107c1ba9834e37b6e3be78063261eb8ed7a6051

                                SHA512

                                1902dec43b5e9552826d09f018b6edf78c993bc8ae96112918ab516790bc2d9c87f92769e4ebe28384f804036efa0fa7a405713226350638e5e4a6bdcaab46f3

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                Filesize

                                67KB

                                MD5

                                753df6889fd7410a2e9fe333da83a429

                                SHA1

                                3c425f16e8267186061dd48ac1c77c122962456e

                                SHA256

                                b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

                                SHA512

                                9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                344B

                                MD5

                                6e4052cbe6db7b551ef31d8f56fd83c6

                                SHA1

                                9e4993641b0da364348fc386faf2dcae43841854

                                SHA256

                                2293aca8ea78ca2af380d3427ab3e71dd5fe12b1edf9fb3f45d4256ca83a63dc

                                SHA512

                                c0307a82e11588f1d412e9932172c2816288762867c6625be301a935516a9f97e017925844913280618dbb2c2d46f62a7d73f299dc5d529dafd9a0a79eea6654

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

                                Filesize

                                197KB

                                MD5

                                5e28e72b443ded036a4cf369d0dda3bf

                                SHA1

                                0500de4480a54243b12d096745c6ba04c9479e66

                                SHA256

                                15fc7a054efbb9f76d937448fbb4814d7b3f25a6d137e24c1a69e32947eae71e

                                SHA512

                                7d17a5248e54e4dda8fd17a4d662edbb274629161a1e25b3b7f7f5112541663a5040788177268c53b2c78bc7e6d2204ccfb342d93c2ceec0a12d8a41788c088b

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RFf7875eb.TMP

                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                Filesize

                                264KB

                                MD5

                                f50f89a0a91564d0b8a211f8921aa7de

                                SHA1

                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                SHA256

                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                SHA512

                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

                                Filesize

                                16B

                                MD5

                                18e723571b00fb1694a3bad6c78e4054

                                SHA1

                                afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                SHA256

                                8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                SHA512

                                43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                              • C:\Users\Admin\AppData\Local\Temp\5qBi1Kjer8.bat

                                Filesize

                                234B

                                MD5

                                07ef0bd46e1bd65ad5f0a182a6850fb5

                                SHA1

                                0f4506adad70eb859928f6fbf03e74e88a650d58

                                SHA256

                                194804b1b7de197d1ddac34b4f59e3e4f1122a586526e90f59a4f756cd161fe4

                                SHA512

                                d4874041e288c98e32968003cd7a31226b10cb1a82ca46c8c0ced79a560ffaeb892e73b18b8da1abd5d5ee814df24a5487fef2b8c9ee81ed47822ba08443e305

                              • C:\Users\Admin\AppData\Local\Temp\6scYwiVJMD

                                Filesize

                                46KB

                                MD5

                                02d2c46697e3714e49f46b680b9a6b83

                                SHA1

                                84f98b56d49f01e9b6b76a4e21accf64fd319140

                                SHA256

                                522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                                SHA512

                                60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                              • C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe

                                Filesize

                                69KB

                                MD5

                                c44bed88966bd546fbbad5a60a2cf70b

                                SHA1

                                c731c6aa73742fcc3e331cd1442e653abedd9db3

                                SHA256

                                23d941bb13cd01b74cfb124b540d3a882d61e85ab9bf675357f7f6711d95d961

                                SHA512

                                ddd73dbe95fffc5b94be0710c89af50c322e57b3759554248d815b10614446f2d4d0ccbfc184076b56005745dde8da9c98ae04086effe9469b2f8ca1fb1d2067

                              • C:\Users\Admin\AppData\Local\Temp\NkoBt1H2nA

                                Filesize

                                20KB

                                MD5

                                c9ff7748d8fcef4cf84a5501e996a641

                                SHA1

                                02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

                                SHA256

                                4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

                                SHA512

                                d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

                              • C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe

                                Filesize

                                2.2MB

                                MD5

                                a61d423019f0f0b040c9fa740eac0b32

                                SHA1

                                f17c16cf0b313eb622511ce4dfcee561c8579611

                                SHA256

                                c6a3c48defac245c5a5895199196518308be9a1aaa6402ba08389eeb5671f4e1

                                SHA512

                                7086e88c7b8c48a66401dc8fb6e05ac5f34365b33f982f9b69af7feef5de75f6a73e507f14d6ab463c84ea385d547ccd17f0d02f109d37b30fc30b3be4f14feb

                              • C:\Users\Admin\AppData\Local\Temp\RES41E0.tmp

                                Filesize

                                1KB

                                MD5

                                49df49d41c7e8d8872a7e47cc3678ef5

                                SHA1

                                a126b62d949fadbac828406ccf7b08c9fe20451d

                                SHA256

                                257e28324ec8d93d7be615661b6f19cd0e3b831f0cb79c15d6fbebfe22e5ef4c

                                SHA512

                                2250ca7572e50953d4c20be4e0a6b8de3739e12775e55cbfd3755d4fc53b9d89ecaf38c9eb2635ba7e10c2a28a9248171495b077d6f9632f3cc301b5005f1f7e

                              • C:\Users\Admin\AppData\Local\Temp\Tar63F.tmp

                                Filesize

                                175KB

                                MD5

                                dd73cead4b93366cf3465c8cd32e2796

                                SHA1

                                74546226dfe9ceb8184651e920d1dbfb432b314e

                                SHA256

                                a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

                                SHA512

                                ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

                              • C:\Users\Admin\AppData\Local\Temp\WyjbshmdET

                                Filesize

                                92KB

                                MD5

                                bd46342c69fd0683a51911e8976bf6b9

                                SHA1

                                17a2451a41ecaaa03e7634dfd5c534aff30d4ce4

                                SHA256

                                f1467f4fb97e82cbb8490d787f2ca113f32fcc94a6d008fffb3ae7e73e5a089b

                                SHA512

                                91e7f0bd5acd35b68788d077529b76a54e9bc4875129a2134bfd5ed5e27588cb43fea26a241e184d9170155c961c16bc724e00502f173351ec2df5c9e3cfb32f

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                Filesize

                                7KB

                                MD5

                                85fd7a37a2a54b631465a2a135a24a19

                                SHA1

                                5b3918ea55569e6553c066122ee96df0e5a0e824

                                SHA256

                                725b3942b2302e545caf06d282f9519dfa3702b57d55173de31a2421ebd988bf

                                SHA512

                                a48020fc7c8694fca441a07180e63b6402e1746dfadbfd2eaa6759a1422273539ee0d4aa143441627ff74ced2db900a5de8d304271a29b74a7779e2ecd1e020a

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                Filesize

                                7KB

                                MD5

                                843be6f1fc8be19b55201cda0558ea34

                                SHA1

                                2f2283517bf170e287f9cc8b31d2a41b1e1624f8

                                SHA256

                                0ac38540bc702d2af7f144c1deb7c835857d39aba1277792c424ce7c1f239108

                                SHA512

                                dc66896d7fe82e895076b07ad9be4763f665c89535b8ec7a9a7524913245afc65827b4777b08d2eb22e27c58ab7cdc9cf8411f39b23f647abe2b5faf9bf65fd5

                              • \??\PIPE\srvsvc

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              • \??\c:\Users\Admin\AppData\Local\Temp\qvzplhmv\qvzplhmv.0.cs

                                Filesize

                                358B

                                MD5

                                8a809ccea14048c92029e0bb90cbdeee

                                SHA1

                                bb4f519053accc0b2b22cb8e668117f6cea85406

                                SHA256

                                37e89d4e77ce79f047b8636aa625edb34b604e8a0bcd775289050700b50e428a

                                SHA512

                                85cce140f750a25fd9172d59c31a66274236a6004258f1387876d430aa3a8609d2a4f345452a828dd1fd4efb7142736a83135bec1aad5d6faec1c20d55c701a9

                              • \??\c:\Users\Admin\AppData\Local\Temp\qvzplhmv\qvzplhmv.cmdline

                                Filesize

                                235B

                                MD5

                                1d1afd7188c6764491f857e875de19c0

                                SHA1

                                c20ee41f93fd460328195c79df3b00091122e677

                                SHA256

                                ae311c79a1b89d97eb331f16a5bf11a3f6ab79c4850215af1c702900b67276fa

                                SHA512

                                36b6476c9707ddc1bebb2dec2b5a997f7ce84ff9eea9381809104a534a26a88234193daf657ae04e0f2b367f218afd8dc3045a46cb815305fbc1ce00a90bf09c

                              • \??\c:\Windows\System32\CSCAE0E7A127EB44DC3857F28A972F19EAC.TMP

                                Filesize

                                1KB

                                MD5

                                43a92fb26ccec8bcb0162ca5fbfbc2c7

                                SHA1

                                e104771c01cfa66de953a741c7481042bb6c1129

                                SHA256

                                6ee663461717602a5ed973d81549bc26967ec1e577640708b36d4b5dfda52600

                                SHA512

                                be826622ccf91a1f66bcef96c21d95c375f666ee688add5fdd8b3839c5d0d50a4266fdfde8015eadb9090499511b82822e5f08478fa21be3ee453f8cef8a7b04

                              • \Blockperf\BlockDhcp.exe

                                Filesize

                                1.8MB

                                MD5

                                e8b976e2ce8a06d07770fd30bed7c634

                                SHA1

                                e661038f24d7702e8ff429cf9e139e741c19391e

                                SHA256

                                9df623453c6eb3ead8335e1555de3d1900250e59ae5b21056d01a327bf41858f

                                SHA512

                                93df7387233cac93131cc903798aefa363c42193ab106d3f6e2100c751578958167d7ffda22fb65ae582b9f4a10a177a4396bef05fb4cc3c63dfc2b0f78bc596

                              • \Blockperf\BlockDhcp.exe

                                Filesize

                                1.4MB

                                MD5

                                039824c44f3ed63c759521f9cc343c94

                                SHA1

                                18735822a45f54dcb19db475851ebae83449bbe0

                                SHA256

                                61cca04d87be46a90cf6660c9f98fd3504610e6260ada654502a45abe2400659

                                SHA512

                                2de45a8e8cf78b77c46f3f77c37993181031941cb76b3866bfa19e5964fc7657cef7e92c4d80c3f12636a40607c5dee48e8506d46f8d988d78895dbabc651b58

                              • memory/592-54-0x000000001B290000-0x000000001B572000-memory.dmp

                                Filesize

                                2.9MB

                              • memory/592-61-0x00000000029D0000-0x0000000002A50000-memory.dmp

                                Filesize

                                512KB

                              • memory/592-56-0x000007FEEE350000-0x000007FEEECED000-memory.dmp

                                Filesize

                                9.6MB

                              • memory/592-57-0x00000000029D0000-0x0000000002A50000-memory.dmp

                                Filesize

                                512KB

                              • memory/592-55-0x0000000001F50000-0x0000000001F58000-memory.dmp

                                Filesize

                                32KB

                              • memory/592-59-0x00000000029D0000-0x0000000002A50000-memory.dmp

                                Filesize

                                512KB

                              • memory/592-63-0x000007FEEE350000-0x000007FEEECED000-memory.dmp

                                Filesize

                                9.6MB

                              • memory/592-62-0x00000000029D0000-0x0000000002A50000-memory.dmp

                                Filesize

                                512KB

                              • memory/592-58-0x000007FEEE350000-0x000007FEEECED000-memory.dmp

                                Filesize

                                9.6MB

                              • memory/620-299-0x0000000002440000-0x00000000024C0000-memory.dmp

                                Filesize

                                512KB

                              • memory/620-302-0x000000000244B000-0x00000000024B2000-memory.dmp

                                Filesize

                                412KB

                              • memory/620-297-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                                Filesize

                                9.6MB

                              • memory/620-301-0x0000000002444000-0x0000000002447000-memory.dmp

                                Filesize

                                12KB

                              • memory/1156-294-0x0000000002614000-0x0000000002617000-memory.dmp

                                Filesize

                                12KB

                              • memory/1156-292-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                                Filesize

                                9.6MB

                              • memory/1156-296-0x000000000261B000-0x0000000002682000-memory.dmp

                                Filesize

                                412KB

                              • memory/1544-298-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                                Filesize

                                9.6MB

                              • memory/1544-307-0x00000000028AB000-0x0000000002912000-memory.dmp

                                Filesize

                                412KB

                              • memory/1544-303-0x00000000028A4000-0x00000000028A7000-memory.dmp

                                Filesize

                                12KB

                              • memory/1680-308-0x0000000002970000-0x00000000029F0000-memory.dmp

                                Filesize

                                512KB

                              • memory/1680-305-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                                Filesize

                                9.6MB

                              • memory/1684-69-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/1684-71-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/1728-67-0x0000000000300000-0x0000000000318000-memory.dmp

                                Filesize

                                96KB

                              • memory/1728-70-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/1728-68-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2024-226-0x0000000000420000-0x000000000042C000-memory.dmp

                                Filesize

                                48KB

                              • memory/2024-227-0x0000000077900000-0x0000000077901000-memory.dmp

                                Filesize

                                4KB

                              • memory/2024-221-0x0000000077920000-0x0000000077921000-memory.dmp

                                Filesize

                                4KB

                              • memory/2024-220-0x00000000004E0000-0x00000000004F8000-memory.dmp

                                Filesize

                                96KB

                              • memory/2024-218-0x0000000000440000-0x000000000045C000-memory.dmp

                                Filesize

                                112KB

                              • memory/2024-216-0x0000000077930000-0x0000000077931000-memory.dmp

                                Filesize

                                4KB

                              • memory/2024-224-0x0000000000290000-0x000000000029E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2024-215-0x000000001B540000-0x000000001B5C0000-memory.dmp

                                Filesize

                                512KB

                              • memory/2024-213-0x0000000077940000-0x0000000077941000-memory.dmp

                                Filesize

                                4KB

                              • memory/2024-255-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2024-209-0x000000001B540000-0x000000001B5C0000-memory.dmp

                                Filesize

                                512KB

                              • memory/2024-207-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2024-208-0x0000000000E60000-0x0000000001046000-memory.dmp

                                Filesize

                                1.9MB

                              • memory/2024-214-0x0000000000280000-0x000000000028E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2024-211-0x000000001B540000-0x000000001B5C0000-memory.dmp

                                Filesize

                                512KB

                              • memory/2024-210-0x0000000000240000-0x0000000000241000-memory.dmp

                                Filesize

                                4KB

                              • memory/2024-222-0x0000000077910000-0x0000000077911000-memory.dmp

                                Filesize

                                4KB

                              • memory/2028-300-0x0000000002934000-0x0000000002937000-memory.dmp

                                Filesize

                                12KB

                              • memory/2028-306-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                                Filesize

                                9.6MB

                              • memory/2028-274-0x0000000002210000-0x0000000002218000-memory.dmp

                                Filesize

                                32KB

                              • memory/2028-280-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                                Filesize

                                9.6MB

                              • memory/2028-295-0x0000000002930000-0x00000000029B0000-memory.dmp

                                Filesize

                                512KB

                              • memory/2028-291-0x0000000002930000-0x00000000029B0000-memory.dmp

                                Filesize

                                512KB

                              • memory/2028-263-0x000000001B310000-0x000000001B5F2000-memory.dmp

                                Filesize

                                2.9MB

                              • memory/2028-293-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

                                Filesize

                                9.6MB

                              • memory/2632-304-0x000000001D8E0000-0x000000001D9FE000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2632-60-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2632-72-0x000000001A6A0000-0x000000001A6AC000-memory.dmp

                                Filesize

                                48KB

                              • memory/2632-37-0x000000001AFC0000-0x000000001B040000-memory.dmp

                                Filesize

                                512KB

                              • memory/2632-36-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2632-35-0x00000000001F0000-0x0000000000208000-memory.dmp

                                Filesize

                                96KB

                              • memory/2888-48-0x000007FEEECF0000-0x000007FEEF68D000-memory.dmp

                                Filesize

                                9.6MB

                              • memory/2888-47-0x0000000002970000-0x00000000029F0000-memory.dmp

                                Filesize

                                512KB

                              • memory/2888-43-0x000000001B290000-0x000000001B572000-memory.dmp

                                Filesize

                                2.9MB

                              • memory/2888-45-0x0000000002970000-0x00000000029F0000-memory.dmp

                                Filesize

                                512KB

                              • memory/2888-46-0x0000000001F40000-0x0000000001F48000-memory.dmp

                                Filesize

                                32KB

                              • memory/2888-44-0x0000000002970000-0x00000000029F0000-memory.dmp

                                Filesize

                                512KB

                              • memory/2888-42-0x000007FEEECF0000-0x000007FEEF68D000-memory.dmp

                                Filesize

                                9.6MB