Malware Analysis Report

2025-08-05 19:41

Sample ID 240402-rr96nsdb42
Target 68WAntiLagApp_protected.exe
SHA256 5f6d2b2e54fd3058a6c664c5b9763e59ffb8f9b4de5db74611f7b93178a065af
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f6d2b2e54fd3058a6c664c5b9763e59ffb8f9b4de5db74611f7b93178a065af

Threat Level: Known bad

The file 68WAntiLagApp_protected.exe was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Xworm

Detect Xworm Payload

Loads dropped DLL

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 14:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 14:26

Reported

2024-04-02 14:30

Platform

win7-20231129-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer\\explorer.exe.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2316 set thread context of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2316 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3032 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1896 wrote to memory of 2328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1896 wrote to memory of 2328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1896 wrote to memory of 2328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1896 wrote to memory of 2328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1896 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1896 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1896 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1896 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1896 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1896 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1896 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1896 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe

"C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'explorer';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'explorer' -Value '"C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \explorer /tr "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \explorer /tr "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {73A08273-ECBF-483B-A8B8-F1EBED3A1075} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe"

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 region-vip.gl.at.ply.gg udp
US 147.185.221.18:52733 region-vip.gl.at.ply.gg tcp

Files

memory/2316-0-0x0000000000F90000-0x0000000000FCA000-memory.dmp

memory/2316-1-0x0000000074990000-0x000000007507E000-memory.dmp

memory/3032-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3032-5-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3032-7-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3032-8-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3032-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3032-11-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3032-18-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3032-14-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2316-13-0x0000000074990000-0x000000007507E000-memory.dmp

memory/2216-19-0x0000000073630000-0x0000000073BDB000-memory.dmp

memory/2216-21-0x0000000002AE0000-0x0000000002B20000-memory.dmp

memory/2216-23-0x0000000002AE0000-0x0000000002B20000-memory.dmp

memory/2216-22-0x0000000002AE0000-0x0000000002B20000-memory.dmp

memory/2216-20-0x0000000073630000-0x0000000073BDB000-memory.dmp

memory/2216-24-0x0000000073630000-0x0000000073BDB000-memory.dmp

\Users\Admin\AppData\Roaming\explorer.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/2328-32-0x0000000001270000-0x0000000001282000-memory.dmp

memory/2328-33-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/2328-34-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/1664-35-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

memory/1664-36-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/1664-38-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/2912-40-0x0000000000150000-0x0000000000162000-memory.dmp

memory/2912-41-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/1716-42-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1716-43-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1496-46-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/1496-45-0x0000000000C60000-0x0000000000C72000-memory.dmp

memory/1496-47-0x0000000074830000-0x0000000074F1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 14:26

Reported

2024-04-02 14:30

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer\\explorer.exe.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1624 set thread context of 1064 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3656 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3656 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3656 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1064 wrote to memory of 4660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1064 wrote to memory of 4660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1064 wrote to memory of 4660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe

"C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'explorer';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'explorer' -Value '"C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \explorer /tr "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \explorer /tr "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 region-vip.gl.at.ply.gg udp
US 147.185.221.18:52733 region-vip.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/1624-0-0x0000000000AC0000-0x0000000000AFA000-memory.dmp

memory/1624-1-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/1624-2-0x0000000005970000-0x0000000005F14000-memory.dmp

memory/1064-4-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1624-6-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/4996-7-0x0000000004B80000-0x0000000004BB6000-memory.dmp

memory/1064-9-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/1064-8-0x0000000005280000-0x000000000531C000-memory.dmp

memory/4996-10-0x00000000051F0000-0x0000000005818000-memory.dmp

memory/4996-11-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/4996-13-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/4996-12-0x00000000051A0000-0x00000000051C2000-memory.dmp

memory/4996-14-0x0000000004B70000-0x0000000004B80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xav5so03.jlk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4996-15-0x0000000005A90000-0x0000000005AF6000-memory.dmp

memory/4996-25-0x0000000005C70000-0x0000000005CD6000-memory.dmp

memory/4996-26-0x0000000005CE0000-0x0000000006034000-memory.dmp

memory/4996-27-0x0000000006140000-0x000000000615E000-memory.dmp

memory/4996-28-0x0000000006170000-0x00000000061BC000-memory.dmp

memory/4996-29-0x000000007F740000-0x000000007F750000-memory.dmp

memory/4996-30-0x0000000006710000-0x0000000006742000-memory.dmp

memory/4996-31-0x0000000072D90000-0x0000000072DDC000-memory.dmp

memory/4996-41-0x0000000006750000-0x000000000676E000-memory.dmp

memory/4996-42-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/4996-43-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/4996-44-0x0000000007330000-0x00000000073D3000-memory.dmp

memory/4996-45-0x0000000007AB0000-0x000000000812A000-memory.dmp

memory/4996-46-0x0000000007460000-0x000000000747A000-memory.dmp

memory/4996-47-0x00000000074E0000-0x00000000074EA000-memory.dmp

memory/4996-48-0x00000000076E0000-0x0000000007776000-memory.dmp

memory/4996-49-0x0000000007660000-0x0000000007671000-memory.dmp

memory/4996-50-0x0000000007690000-0x000000000769E000-memory.dmp

memory/4996-51-0x00000000076A0000-0x00000000076B4000-memory.dmp

memory/4996-52-0x00000000077A0000-0x00000000077BA000-memory.dmp

memory/4996-53-0x0000000007780000-0x0000000007788000-memory.dmp

memory/4996-54-0x00000000077C0000-0x00000000077E2000-memory.dmp

memory/4996-57-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/1064-62-0x0000000005420000-0x0000000005430000-memory.dmp

memory/1064-63-0x0000000075350000-0x0000000075B00000-memory.dmp

C:\Users\Admin\AppData\Roaming\explorer.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/968-66-0x0000000000200000-0x0000000000212000-memory.dmp

memory/968-67-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/968-69-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/1064-70-0x0000000005420000-0x0000000005430000-memory.dmp

memory/1064-71-0x0000000007400000-0x0000000007492000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\explorer.exe.log

MD5 84cfdb4b995b1dbf543b26b86c863adc
SHA1 d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256 d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

memory/2456-75-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/4560-76-0x0000020EEED60000-0x0000020EEED61000-memory.dmp

memory/4560-77-0x0000020EEED60000-0x0000020EEED61000-memory.dmp

memory/4560-78-0x0000020EEED60000-0x0000020EEED61000-memory.dmp

memory/4560-82-0x0000020EEED60000-0x0000020EEED61000-memory.dmp

memory/4560-83-0x0000020EEED60000-0x0000020EEED61000-memory.dmp

memory/4560-84-0x0000020EEED60000-0x0000020EEED61000-memory.dmp

memory/4560-85-0x0000020EEED60000-0x0000020EEED61000-memory.dmp

memory/4560-86-0x0000020EEED60000-0x0000020EEED61000-memory.dmp

memory/4560-87-0x0000020EEED60000-0x0000020EEED61000-memory.dmp

memory/4560-88-0x0000020EEED60000-0x0000020EEED61000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

MD5 3d1ce826bf40e13c5e77d2b8f8f44316
SHA1 f79cbf9e5913391236182c82e8bfcdb9b787ec18
SHA256 9ddc8a468e10a4d42af997f4352ae6ee826efd145ba6be186f2c20e4d916c958
SHA512 e610cfa7031aa7f7cfb2ebd1903d655dd93f0ec7d19726f24009a44e1e15dacc726cd42928e57cbf90a987281deb5c493d27ffc3f77a323a5caff7370985478f

memory/2456-90-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/4508-92-0x0000000075350000-0x0000000075B00000-memory.dmp