Malware Analysis Report

2025-08-05 19:41

Sample ID 240402-qxclxsca42
Target 4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.zip
SHA256 c9419a3e2b0ce74b0431d1af2afca5a416eb8f91a43b64832cfab1e8c2f815e1
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9419a3e2b0ce74b0431d1af2afca5a416eb8f91a43b64832cfab1e8c2f815e1

Threat Level: Known bad

The file 4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.zip was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Xworm family

Xworm

Detect Xworm Payload

Drops startup file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 13:38

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 13:38

Reported

2024-04-02 13:41

Platform

win7-20231129-en

Max time kernel

138s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsHealthSystem.lnk C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsHealthSystem.lnk C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHealthSystem = "C:\\Users\\Admin\\AppData\\Local\\WindowsHealthSystem.exe" C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\schtasks.exe
PID 2352 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\schtasks.exe
PID 2352 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\schtasks.exe
PID 2332 wrote to memory of 2804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe
PID 2332 wrote to memory of 2804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe
PID 2332 wrote to memory of 2804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe
PID 2332 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe
PID 2332 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe
PID 2332 wrote to memory of 2540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe
PID 2332 wrote to memory of 980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe
PID 2332 wrote to memory of 980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe
PID 2332 wrote to memory of 980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe

"C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsHealthSystem.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsHealthSystem" /tr "C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {82E304E3-6E3B-4FB0-9CD1-50CFD11869AC} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 involved-hurt.gl.at.ply.gg udp
US 147.185.221.18:35238 involved-hurt.gl.at.ply.gg tcp
US 147.185.221.18:35238 involved-hurt.gl.at.ply.gg tcp
US 147.185.221.18:35238 involved-hurt.gl.at.ply.gg tcp
US 147.185.221.18:35238 involved-hurt.gl.at.ply.gg tcp
US 147.185.221.18:35238 involved-hurt.gl.at.ply.gg tcp

Files

memory/2352-0-0x0000000000EF0000-0x0000000000F08000-memory.dmp

memory/2352-1-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/2940-6-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2940-7-0x00000000028E0000-0x00000000028E8000-memory.dmp

memory/2940-8-0x000007FEF2380000-0x000007FEF2D1D000-memory.dmp

memory/2940-9-0x0000000002810000-0x0000000002890000-memory.dmp

memory/2940-11-0x0000000002810000-0x0000000002890000-memory.dmp

memory/2940-10-0x000007FEF2380000-0x000007FEF2D1D000-memory.dmp

memory/2940-12-0x0000000002810000-0x0000000002890000-memory.dmp

memory/2940-13-0x0000000002810000-0x0000000002890000-memory.dmp

memory/2940-14-0x000007FEF2380000-0x000007FEF2D1D000-memory.dmp

memory/2640-20-0x000000001B700000-0x000000001B9E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U7QRF1RFLL6OIBD2IVOQ.temp

MD5 ebd673b2c8eb1c449496188830a9c80b
SHA1 2d7ee5397cebf1eb0c579783de9dc224eccb8780
SHA256 98d50f1ada2eead852912c165a54036368d6a6ea2a0ffe36cf7d2fb683615289
SHA512 8dd93be3628461060826aa0ac2f107fecada86f263ed42387d97e8e70f4e40ebd4e8e45bed577711f3505f3c78592a793d33a1830692e8ee1e655a6ee45db586

memory/2640-22-0x000007FEEE960000-0x000007FEEF2FD000-memory.dmp

memory/2640-23-0x0000000002AF0000-0x0000000002B70000-memory.dmp

memory/2640-21-0x0000000002760000-0x0000000002768000-memory.dmp

memory/2640-26-0x0000000002AF0000-0x0000000002B70000-memory.dmp

memory/2640-25-0x0000000002AF0000-0x0000000002B70000-memory.dmp

memory/2640-24-0x000007FEEE960000-0x000007FEEF2FD000-memory.dmp

memory/2640-27-0x000007FEEE960000-0x000007FEEF2FD000-memory.dmp

memory/2856-33-0x000007FEF2380000-0x000007FEF2D1D000-memory.dmp

memory/2856-34-0x0000000002AC0000-0x0000000002B40000-memory.dmp

memory/2856-35-0x000007FEF2380000-0x000007FEF2D1D000-memory.dmp

memory/2856-37-0x0000000002AC0000-0x0000000002B40000-memory.dmp

memory/2856-36-0x0000000002AC0000-0x0000000002B40000-memory.dmp

memory/2856-38-0x000007FEF2380000-0x000007FEF2D1D000-memory.dmp

memory/2520-44-0x000007FEEE960000-0x000007FEEF2FD000-memory.dmp

memory/2520-45-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/2520-46-0x000007FEEE960000-0x000007FEEF2FD000-memory.dmp

memory/2520-49-0x0000000002CAB000-0x0000000002D12000-memory.dmp

memory/2352-51-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/2520-50-0x000007FEEE960000-0x000007FEEF2FD000-memory.dmp

memory/2520-48-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/2520-47-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/2352-56-0x000000001B440000-0x000000001B4C0000-memory.dmp

memory/2804-60-0x00000000008B0000-0x00000000008C8000-memory.dmp

memory/2804-61-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

MD5 109adf5a32829b151d536e30a81ee96b
SHA1 dc23006a97e7d5bc34eedec563432e63ed6a226a
SHA256 4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311
SHA512 74e7fb13e195dcf6b8ed0f40c034925c3762b2e0c43c8faede99ce79a4b07966ff5336769db3f9f5bb4c0478cefc879d59b43d5ded5bda3e75d19bd0a1e9e9e5

memory/2804-62-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/2352-63-0x000000001B440000-0x000000001B4C0000-memory.dmp

memory/2540-66-0x0000000000B20000-0x0000000000B38000-memory.dmp

memory/2540-67-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/2540-68-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/980-70-0x0000000001060000-0x0000000001078000-memory.dmp

memory/980-71-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/980-72-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 13:38

Reported

2024-04-02 13:41

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsHealthSystem.lnk C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsHealthSystem.lnk C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHealthSystem = "C:\\Users\\Admin\\AppData\\Local\\WindowsHealthSystem.exe" C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3924 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\schtasks.exe
PID 3924 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe

"C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsHealthSystem.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsHealthSystem" /tr "C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe"

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 involved-hurt.gl.at.ply.gg udp
US 147.185.221.18:35238 involved-hurt.gl.at.ply.gg tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 147.185.221.18:35238 involved-hurt.gl.at.ply.gg tcp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 147.185.221.18:35238 involved-hurt.gl.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 147.185.221.18:35238 involved-hurt.gl.at.ply.gg tcp
US 147.185.221.18:35238 involved-hurt.gl.at.ply.gg tcp
US 147.185.221.18:35238 involved-hurt.gl.at.ply.gg tcp

Files

memory/3924-0-0x0000000000510000-0x0000000000528000-memory.dmp

memory/3924-1-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

memory/3908-2-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

memory/3908-9-0x000001FC5D080000-0x000001FC5D090000-memory.dmp

memory/3908-8-0x000001FC5D050000-0x000001FC5D072000-memory.dmp

memory/3908-10-0x000001FC5D080000-0x000001FC5D090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ibs3e2im.aqr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3908-17-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/2696-19-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

memory/2696-26-0x000001F950250000-0x000001F950260000-memory.dmp

memory/2696-25-0x000001F950250000-0x000001F950260000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

memory/2696-32-0x000001F950250000-0x000001F950260000-memory.dmp

memory/2696-34-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

memory/4132-44-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 67e8893616f805af2411e2f4a1411b2a
SHA1 39bf1e1a0ddf46ce7c136972120f512d92827dcd
SHA256 ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31
SHA512 164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

memory/4132-46-0x0000016427D00000-0x0000016427D10000-memory.dmp

memory/4132-47-0x0000016427D00000-0x0000016427D10000-memory.dmp

memory/4132-49-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10fb30dc297f99d6ebafa5fee8b24fa2
SHA1 76904509313a49a765edcde26b69c3a61f9fa225
SHA256 567bcacac120711fc04bf8e6c8cd0bff7b61e8ee0a6316254d1005ebb1264e6a
SHA512 c42ace1ea0923fa55592f4f486a508ea56997fdbe0200016b0fc16a33452fc28e4530129a315b3b3a5ede37a07097c13a0eb310c9e91e5d97bb7ce7b955b9498

memory/4188-60-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

memory/4188-61-0x0000017DB3640000-0x0000017DB3650000-memory.dmp

memory/3924-62-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

memory/4188-63-0x0000017DB3640000-0x0000017DB3650000-memory.dmp

memory/4188-65-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

memory/3924-70-0x000000001B200000-0x000000001B210000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe

MD5 109adf5a32829b151d536e30a81ee96b
SHA1 dc23006a97e7d5bc34eedec563432e63ed6a226a
SHA256 4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311
SHA512 74e7fb13e195dcf6b8ed0f40c034925c3762b2e0c43c8faede99ce79a4b07966ff5336769db3f9f5bb4c0478cefc879d59b43d5ded5bda3e75d19bd0a1e9e9e5

memory/3924-73-0x000000001B200000-0x000000001B210000-memory.dmp

memory/740-74-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

memory/740-76-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsHealthSystem.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/1924-80-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

memory/1924-81-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp

memory/1132-83-0x00007FF9B0C90000-0x00007FF9B1751000-memory.dmp