Malware Analysis Report

2024-10-18 21:24

Sample ID 240323-qrqllagd27
Target XClient.rar
SHA256 22adaea01c871a2dcc4dac36e4590ba5418ff0c487a8583eeda00d852b763647
Tags
stormkitty xworm zgrat persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22adaea01c871a2dcc4dac36e4590ba5418ff0c487a8583eeda00d852b763647

Threat Level: Known bad

The file XClient.rar was found to be: Known bad.

Malicious Activity Summary

stormkitty xworm zgrat persistence rat spyware stealer trojan

Detect Xworm Payload

Xworm

StormKitty payload

Modifies WinLogon for persistence

Process spawned unexpected child process

ZGRat

StormKitty

Detect ZGRat V1

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 13:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 13:29

Reported

2024-03-23 13:32

Platform

win7-20240221-en

Max time kernel

138s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\XClient.rar

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\", \"C:\\Recovery\\53c2ef02-d124-11ee-be41-9f00cc481deb\\csrss.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\", \"C:\\Recovery\\53c2ef02-d124-11ee-be41-9f00cc481deb\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\", \"C:\\Recovery\\53c2ef02-d124-11ee-be41-9f00cc481deb\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Blockperf\\BlockDhcp.exe\"" C:\Blockperf\BlockDhcp.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

ZGRat

rat zgrat

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\tracing\\lsm.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\BlockDhcp = "\"C:\\Blockperf\\BlockDhcp.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\tracing\\lsm.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\53c2ef02-d124-11ee-be41-9f00cc481deb\\csrss.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\53c2ef02-d124-11ee-be41-9f00cc481deb\\csrss.exe\"" C:\Blockperf\BlockDhcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BlockDhcp = "\"C:\\Blockperf\\BlockDhcp.exe\"" C:\Blockperf\BlockDhcp.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\annrns.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\CSCAE0E7A127EB44DC3857F28A972F19EAC.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72 C:\Blockperf\BlockDhcp.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe C:\Blockperf\BlockDhcp.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\ebf1f9fa8afd6d C:\Blockperf\BlockDhcp.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe C:\Blockperf\BlockDhcp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe C:\Blockperf\BlockDhcp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\tracing\lsm.exe C:\Blockperf\BlockDhcp.exe N/A
File created C:\Windows\tracing\101b941d020240 C:\Blockperf\BlockDhcp.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A
N/A N/A C:\Blockperf\BlockDhcp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Blockperf\BlockDhcp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2200 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2200 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2136 wrote to memory of 2632 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe
PID 2136 wrote to memory of 2632 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe
PID 2136 wrote to memory of 2632 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe
PID 2632 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe
PID 2632 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe
PID 2632 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe
PID 2632 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe
PID 1556 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe C:\Windows\SysWOW64\WScript.exe
PID 1556 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe C:\Windows\SysWOW64\WScript.exe
PID 1556 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe C:\Windows\SysWOW64\WScript.exe
PID 1556 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe C:\Windows\SysWOW64\WScript.exe
PID 1988 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Blockperf\BlockDhcp.exe
PID 2216 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Blockperf\BlockDhcp.exe
PID 2216 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Blockperf\BlockDhcp.exe
PID 2216 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Blockperf\BlockDhcp.exe
PID 2024 wrote to memory of 672 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2024 wrote to memory of 672 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2024 wrote to memory of 672 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 672 wrote to memory of 1096 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 672 wrote to memory of 1096 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 672 wrote to memory of 1096 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2024 wrote to memory of 620 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 620 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 620 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1680 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1680 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1680 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1544 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1544 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1544 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1572 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1572 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1572 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1156 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1156 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1156 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2028 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2028 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2028 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1984 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\cmd.exe
PID 2024 wrote to memory of 1984 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\cmd.exe
PID 2024 wrote to memory of 1984 N/A C:\Blockperf\BlockDhcp.exe C:\Windows\System32\cmd.exe
PID 1984 wrote to memory of 2292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1984 wrote to memory of 2292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1984 wrote to memory of 2292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1984 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1984 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1984 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1984 wrote to memory of 2940 N/A C:\Windows\System32\cmd.exe C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe
PID 1984 wrote to memory of 2940 N/A C:\Windows\System32\cmd.exe C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe
PID 1984 wrote to memory of 2940 N/A C:\Windows\System32\cmd.exe C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\XClient.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XClient.rar"

C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Users\Admin\Desktop\XClient.exe

"C:\Users\Admin\Desktop\XClient.exe"

C:\Users\Admin\Desktop\XClient.exe

"C:\Users\Admin\Desktop\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe

"C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Blockperf\SsxsOgj7UItOyP.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Blockperf\W03a7eRByVe59tEfoEn5p9hfLGE7liRC1WwfhocqTKwXnqoCeIu86OnqQ.bat" "

C:\Blockperf\BlockDhcp.exe

"C:\Blockperf/BlockDhcp.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\tracing\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\lsm.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvzplhmv\qvzplhmv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41E0.tmp" "c:\Windows\System32\CSCAE0E7A127EB44DC3857F28A972F19EAC.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BlockDhcpB" /sc MINUTE /mo 9 /tr "'C:\Blockperf\BlockDhcp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BlockDhcp" /sc ONLOGON /tr "'C:\Blockperf\BlockDhcp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BlockDhcpB" /sc MINUTE /mo 10 /tr "'C:\Blockperf\BlockDhcp.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Blockperf\BlockDhcp.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5qBi1Kjer8.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe

"C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7109758,0x7fef7109768,0x7fef7109778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=284 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=988 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3228 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3888 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3964 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discussion-wanted.gl.at.ply.gg udp
US 147.185.221.19:5861 discussion-wanted.gl.at.ply.gg tcp
US 147.185.221.19:5861 discussion-wanted.gl.at.ply.gg tcp
US 8.8.8.8:53 951499cm.nyashtech.top udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 104.21.31.169:80 951499cm.nyashtech.top tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 104.21.31.169:80 951499cm.nyashtech.top tcp
US 104.21.31.169:80 951499cm.nyashtech.top tcp
US 147.185.221.19:5861 discussion-wanted.gl.at.ply.gg tcp
US 147.185.221.19:5861 discussion-wanted.gl.at.ply.gg tcp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
NL 172.217.168.234:443 content-autofill.googleapis.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe

MD5 c44bed88966bd546fbbad5a60a2cf70b
SHA1 c731c6aa73742fcc3e331cd1442e653abedd9db3
SHA256 23d941bb13cd01b74cfb124b540d3a882d61e85ab9bf675357f7f6711d95d961
SHA512 ddd73dbe95fffc5b94be0710c89af50c322e57b3759554248d815b10614446f2d4d0ccbfc184076b56005745dde8da9c98ae04086effe9469b2f8ca1fb1d2067

memory/2632-35-0x00000000001F0000-0x0000000000208000-memory.dmp

memory/2632-36-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

memory/2632-37-0x000000001AFC0000-0x000000001B040000-memory.dmp

memory/2888-42-0x000007FEEECF0000-0x000007FEEF68D000-memory.dmp

memory/2888-44-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2888-46-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/2888-45-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2888-43-0x000000001B290000-0x000000001B572000-memory.dmp

memory/2888-47-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2888-48-0x000007FEEECF0000-0x000007FEEF68D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 843be6f1fc8be19b55201cda0558ea34
SHA1 2f2283517bf170e287f9cc8b31d2a41b1e1624f8
SHA256 0ac38540bc702d2af7f144c1deb7c835857d39aba1277792c424ce7c1f239108
SHA512 dc66896d7fe82e895076b07ad9be4763f665c89535b8ec7a9a7524913245afc65827b4777b08d2eb22e27c58ab7cdc9cf8411f39b23f647abe2b5faf9bf65fd5

memory/592-54-0x000000001B290000-0x000000001B572000-memory.dmp

memory/592-56-0x000007FEEE350000-0x000007FEEECED000-memory.dmp

memory/592-57-0x00000000029D0000-0x0000000002A50000-memory.dmp

memory/592-55-0x0000000001F50000-0x0000000001F58000-memory.dmp

memory/592-61-0x00000000029D0000-0x0000000002A50000-memory.dmp

memory/2632-60-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

memory/592-59-0x00000000029D0000-0x0000000002A50000-memory.dmp

memory/592-58-0x000007FEEE350000-0x000007FEEECED000-memory.dmp

memory/592-62-0x00000000029D0000-0x0000000002A50000-memory.dmp

memory/592-63-0x000007FEEE350000-0x000007FEEECED000-memory.dmp

memory/1728-67-0x0000000000300000-0x0000000000318000-memory.dmp

memory/1728-68-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

memory/1684-69-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

memory/1728-70-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

memory/1684-71-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

memory/2632-72-0x000000001A6A0000-0x000000001A6AC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar63F.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe

MD5 a61d423019f0f0b040c9fa740eac0b32
SHA1 f17c16cf0b313eb622511ce4dfcee561c8579611
SHA256 c6a3c48defac245c5a5895199196518308be9a1aaa6402ba08389eeb5671f4e1
SHA512 7086e88c7b8c48a66401dc8fb6e05ac5f34365b33f982f9b69af7feef5de75f6a73e507f14d6ab463c84ea385d547ccd17f0d02f109d37b30fc30b3be4f14feb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e4052cbe6db7b551ef31d8f56fd83c6
SHA1 9e4993641b0da364348fc386faf2dcae43841854
SHA256 2293aca8ea78ca2af380d3427ab3e71dd5fe12b1edf9fb3f45d4256ca83a63dc
SHA512 c0307a82e11588f1d412e9932172c2816288762867c6625be301a935516a9f97e017925844913280618dbb2c2d46f62a7d73f299dc5d529dafd9a0a79eea6654

C:\Blockperf\SsxsOgj7UItOyP.vbe

MD5 7bd4ae5733494fe9888a9fb6cc6212b6
SHA1 155ea81b368875d5015e49b11b7ccdb9458505bd
SHA256 00fafff153878b3bc60ab36aafda3d2fccbab69c728153733fcf857016c93d50
SHA512 c573019171da281cf08d64dfdec1f71ba444819f1f444021543296cdb3fe8225e024895294ca0856e588d20789cd763d65ffbd4a0ba5a5ecc645bda2e0080664

C:\Blockperf\W03a7eRByVe59tEfoEn5p9hfLGE7liRC1WwfhocqTKwXnqoCeIu86OnqQ.bat

MD5 1d4c24d719063e18d59f87ad8b86f7f0
SHA1 16e96049b02c4ac6017ea616e9419764da32feb9
SHA256 1fe35093cfbf50d0d702dc90e107c1ba9834e37b6e3be78063261eb8ed7a6051
SHA512 1902dec43b5e9552826d09f018b6edf78c993bc8ae96112918ab516790bc2d9c87f92769e4ebe28384f804036efa0fa7a405713226350638e5e4a6bdcaab46f3

C:\Blockperf\BlockDhcp.exe

MD5 404c42b1d69843238b60cb02900199c2
SHA1 3a157c1860640757fda1dd8c21bae48d23109a75
SHA256 d3618dd3842ee12a3716a6b9aada892d9eaa65203710d720e77ed2a47d24d2a9
SHA512 139f24cc59a1ab27f6297204b104a8f8fd2411c14bd748b5cb9b039432841be9a8be3ffd951f89006d8fe9e7ba11d78b6668e49eb2fc327f7a57347789f91f38

\Blockperf\BlockDhcp.exe

MD5 039824c44f3ed63c759521f9cc343c94
SHA1 18735822a45f54dcb19db475851ebae83449bbe0
SHA256 61cca04d87be46a90cf6660c9f98fd3504610e6260ada654502a45abe2400659
SHA512 2de45a8e8cf78b77c46f3f77c37993181031941cb76b3866bfa19e5964fc7657cef7e92c4d80c3f12636a40607c5dee48e8506d46f8d988d78895dbabc651b58

C:\Blockperf\BlockDhcp.exe

MD5 885ad16db4188802c438079fef3e24bf
SHA1 8f941a38471c9ad803a5f79ada6fe88c0bcebe1b
SHA256 581d9667e6d2b6fa9c5630f72a5bfe24622719ab0adce77c5ac3f207af871b5c
SHA512 54e17934a19994b847070705741e3b10c4145b6e9b940a563ab0835b4975cb091afbd783e48a981abd84c1b684ea8c4abfd08a83469b2580058a1f9c1959ec55

\Blockperf\BlockDhcp.exe

MD5 e8b976e2ce8a06d07770fd30bed7c634
SHA1 e661038f24d7702e8ff429cf9e139e741c19391e
SHA256 9df623453c6eb3ead8335e1555de3d1900250e59ae5b21056d01a327bf41858f
SHA512 93df7387233cac93131cc903798aefa363c42193ab106d3f6e2100c751578958167d7ffda22fb65ae582b9f4a10a177a4396bef05fb4cc3c63dfc2b0f78bc596

memory/2024-207-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

memory/2024-208-0x0000000000E60000-0x0000000001046000-memory.dmp

memory/2024-209-0x000000001B540000-0x000000001B5C0000-memory.dmp

memory/2024-210-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2024-211-0x000000001B540000-0x000000001B5C0000-memory.dmp

memory/2024-214-0x0000000000280000-0x000000000028E000-memory.dmp

memory/2024-213-0x0000000077940000-0x0000000077941000-memory.dmp

memory/2024-215-0x000000001B540000-0x000000001B5C0000-memory.dmp

memory/2024-216-0x0000000077930000-0x0000000077931000-memory.dmp

memory/2024-218-0x0000000000440000-0x000000000045C000-memory.dmp

memory/2024-220-0x00000000004E0000-0x00000000004F8000-memory.dmp

memory/2024-221-0x0000000077920000-0x0000000077921000-memory.dmp

memory/2024-222-0x0000000077910000-0x0000000077911000-memory.dmp

memory/2024-224-0x0000000000290000-0x000000000029E000-memory.dmp

memory/2024-226-0x0000000000420000-0x000000000042C000-memory.dmp

memory/2024-227-0x0000000077900000-0x0000000077901000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\qvzplhmv\qvzplhmv.cmdline

MD5 1d1afd7188c6764491f857e875de19c0
SHA1 c20ee41f93fd460328195c79df3b00091122e677
SHA256 ae311c79a1b89d97eb331f16a5bf11a3f6ab79c4850215af1c702900b67276fa
SHA512 36b6476c9707ddc1bebb2dec2b5a997f7ce84ff9eea9381809104a534a26a88234193daf657ae04e0f2b367f218afd8dc3045a46cb815305fbc1ce00a90bf09c

\??\c:\Users\Admin\AppData\Local\Temp\qvzplhmv\qvzplhmv.0.cs

MD5 8a809ccea14048c92029e0bb90cbdeee
SHA1 bb4f519053accc0b2b22cb8e668117f6cea85406
SHA256 37e89d4e77ce79f047b8636aa625edb34b604e8a0bcd775289050700b50e428a
SHA512 85cce140f750a25fd9172d59c31a66274236a6004258f1387876d430aa3a8609d2a4f345452a828dd1fd4efb7142736a83135bec1aad5d6faec1c20d55c701a9

C:\Users\Admin\AppData\Local\Temp\RES41E0.tmp

MD5 49df49d41c7e8d8872a7e47cc3678ef5
SHA1 a126b62d949fadbac828406ccf7b08c9fe20451d
SHA256 257e28324ec8d93d7be615661b6f19cd0e3b831f0cb79c15d6fbebfe22e5ef4c
SHA512 2250ca7572e50953d4c20be4e0a6b8de3739e12775e55cbfd3755d4fc53b9d89ecaf38c9eb2635ba7e10c2a28a9248171495b077d6f9632f3cc301b5005f1f7e

\??\c:\Windows\System32\CSCAE0E7A127EB44DC3857F28A972F19EAC.TMP

MD5 43a92fb26ccec8bcb0162ca5fbfbc2c7
SHA1 e104771c01cfa66de953a741c7481042bb6c1129
SHA256 6ee663461717602a5ed973d81549bc26967ec1e577640708b36d4b5dfda52600
SHA512 be826622ccf91a1f66bcef96c21d95c375f666ee688add5fdd8b3839c5d0d50a4266fdfde8015eadb9090499511b82822e5f08478fa21be3ee453f8cef8a7b04

memory/2028-263-0x000000001B310000-0x000000001B5F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 85fd7a37a2a54b631465a2a135a24a19
SHA1 5b3918ea55569e6553c066122ee96df0e5a0e824
SHA256 725b3942b2302e545caf06d282f9519dfa3702b57d55173de31a2421ebd988bf
SHA512 a48020fc7c8694fca441a07180e63b6402e1746dfadbfd2eaa6759a1422273539ee0d4aa143441627ff74ced2db900a5de8d304271a29b74a7779e2ecd1e020a

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2024-255-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

memory/2028-291-0x0000000002930000-0x00000000029B0000-memory.dmp

memory/2028-280-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/2028-274-0x0000000002210000-0x0000000002218000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5qBi1Kjer8.bat

MD5 07ef0bd46e1bd65ad5f0a182a6850fb5
SHA1 0f4506adad70eb859928f6fbf03e74e88a650d58
SHA256 194804b1b7de197d1ddac34b4f59e3e4f1122a586526e90f59a4f756cd161fe4
SHA512 d4874041e288c98e32968003cd7a31226b10cb1a82ca46c8c0ced79a560ffaeb892e73b18b8da1abd5d5ee814df24a5487fef2b8c9ee81ed47822ba08443e305

memory/1156-292-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/1156-294-0x0000000002614000-0x0000000002617000-memory.dmp

memory/2028-293-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/620-301-0x0000000002444000-0x0000000002447000-memory.dmp

memory/2028-300-0x0000000002934000-0x0000000002937000-memory.dmp

memory/620-299-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/1544-298-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/620-297-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/620-302-0x000000000244B000-0x00000000024B2000-memory.dmp

memory/1544-307-0x00000000028AB000-0x0000000002912000-memory.dmp

memory/1680-308-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/1544-303-0x00000000028A4000-0x00000000028A7000-memory.dmp

memory/2028-306-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/1680-305-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/2632-304-0x000000001D8E0000-0x000000001D9FE000-memory.dmp

memory/1156-296-0x000000000261B000-0x0000000002682000-memory.dmp

memory/2028-295-0x0000000002930000-0x00000000029B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NkoBt1H2nA

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\6scYwiVJMD

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\WyjbshmdET

MD5 bd46342c69fd0683a51911e8976bf6b9
SHA1 17a2451a41ecaaa03e7634dfd5c534aff30d4ce4
SHA256 f1467f4fb97e82cbb8490d787f2ca113f32fcc94a6d008fffb3ae7e73e5a089b
SHA512 91e7f0bd5acd35b68788d077529b76a54e9bc4875129a2134bfd5ed5e27588cb43fea26a241e184d9170155c961c16bc724e00502f173351ec2df5c9e3cfb32f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RFf7875eb.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

MD5 5e28e72b443ded036a4cf369d0dda3bf
SHA1 0500de4480a54243b12d096745c6ba04c9479e66
SHA256 15fc7a054efbb9f76d937448fbb4814d7b3f25a6d137e24c1a69e32947eae71e
SHA512 7d17a5248e54e4dda8fd17a4d662edbb274629161a1e25b3b7f7f5112541663a5040788177268c53b2c78bc7e6d2204ccfb342d93c2ceec0a12d8a41788c088b

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 13:29

Reported

2024-03-23 13:32

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\XClient.rar

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4928 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\XClient.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XClient.rar"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 142.250.179.170:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 170.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A