Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31-05-2024 04:07

General

  • Target

    XClient.exe

  • Size

    72KB

  • MD5

    886abac8e29288624c9cfc55dfc7d940

  • SHA1

    35cf22bb640bdb7a641ce6dbb8efec00da592b0e

  • SHA256

    8fcf527c18bd78b4fb4a7933eaba050826ce621f70ec6660da71607cf768f381

  • SHA512

    6ae6939341612bedd320d276285b9a07884aa3ae941aac90a404d50bc696336cc278e2eee32c0a8f43782c9522a86ff1a0e89cd48fdaaf2040a074a65c0036f7

  • SSDEEP

    1536:tsWNT4wTOYvKz3Gvdr4u+bXcpqmQOVXoGe6Yp2hnz/ORgRW96exN:tsa4sy7Gvd3+bXcpK2bOuWv

Malware Config

Extracted

Family

xworm

C2

loss-winners.gl.at.ply.gg:61007

Attributes
  • Install_directory

    %AppData%

  • install_file

    Expensive 3.1.exe

Signatures

  • DcRat 49 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Xworm Payload 1 IoCs
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • DcRat
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4392
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
    • C:\Users\Admin\AppData\Local\Temp\uliqxd.exe
      "C:\Users\Admin\AppData\Local\Temp\uliqxd.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\SavesDllcommon\gdNhr8l.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5088
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4360
          • C:\SavesDllcommon\fontsaves.exe
            "C:\SavesDllcommon\fontsaves.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4000
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6py5WUoJqb.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3552
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:4920
                • C:\SavesDllcommon\System.exe
                  "C:\SavesDllcommon\System.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3428
                  • C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe
                    "C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe"
                    8⤵
                    • Executes dropped EXE
                    PID:1284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\SavesDllcommon\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\SavesDllcommon\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\SavesDllcommon\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:72
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1456
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3388
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\unsecapp.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\csrss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1196
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\SavesDllcommon\System.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\SavesDllcommon\System.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\SavesDllcommon\System.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\XClient.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "XClient" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\XClient.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\XClient.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1580
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004BC
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.bat
      Filesize

      33B

      MD5

      0a9ef172b5e9daeb9c3366842676eac9

      SHA1

      18ce47e6f7a7dc2a4c0882a7fa1e69bc91f22cd2

      SHA256

      4193c6cb4fcc0e633a062825fc4b510d826d68063be74cf7f37d5db3a75ea2b6

      SHA512

      dc1985d420f4d7058529acd1afce2bd9e047f95074a3f12ca0923903bb3dab615fb938464d6a75adfd4a890aa3eeda9797c13bfb867bb02e02945af3c108d563

    • C:\SavesDllcommon\fontsaves.exe
      Filesize

      1.2MB

      MD5

      73ace1b8b0f1b1c088f11ee29b13ae6b

      SHA1

      4b7fa04aacb5a23ab37b9caaee8f852a1bd33bbc

      SHA256

      8be76a2960a823f9284836868172eff28b64de44daba8b09f91ff678bb22d614

      SHA512

      1e13cc8ac20c9e10cd13f78cb54e75b23ad255d1601d45ee78770f3cb74fe5e9bb3e84d8ca8f7c44659365da45a79b72be85d6433a8bbbac79b925839cc7e4d1

    • C:\SavesDllcommon\gdNhr8l.vbe
      Filesize

      216B

      MD5

      67750c3e2cc7970484d8e1f3e95c4454

      SHA1

      b4a6e933dfda3db9a2663798f421a2b06a0c5b35

      SHA256

      a5c935975dff3bdbd1fd9c63abc8c47d2e24dd408dd5d0760b8af2db291c9655

      SHA512

      d794c9fdc99334fe3627d03e63e41d67a6f47e5b1601eb3c4c9cd037dd6b74c238e3bd8510c7755fd4e6f366b140bf9b82d6fbe734237ee8d44de51a193c1fa9

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2e8eb51096d6f6781456fef7df731d97

      SHA1

      ec2aaf851a618fb43c3d040a13a71997c25bda43

      SHA256

      96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

      SHA512

      0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      21017c68eaf9461301de459f4f07e888

      SHA1

      41ff30fc8446508d4c3407c79e798cf6eaa5bb73

      SHA256

      03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888

      SHA512

      956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2e0391d00f5bfbc34be70790f14d5edf

      SHA1

      fcb04d8599c23967de4f154a101be480933ab0d0

      SHA256

      1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136

      SHA512

      231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

    • C:\Users\Admin\AppData\Local\Temp\6py5WUoJqb.bat
      Filesize

      193B

      MD5

      6427be0302c789764be5d54f7e002a0a

      SHA1

      ac7f0dc923bea68b72d321b4770e5d70eaa8c9e2

      SHA256

      ec42526166d1e5aa74bd6015cb52224f553a437f39c36516a1f1d79340d02b19

      SHA512

      5eefe384774b8b754e9428aed6fdfcf8649c0b5204d67798fa3f0cebd09a143eae2e5e4accdb168db53c370042faeb488b191b2b3a68b52a25e1b8f155fdb620

    • C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe
      Filesize

      3.8MB

      MD5

      137c1b0243beb35b6a0b6dbe632dc341

      SHA1

      b710da533d9a33f4d7fc78d317bbcee8dc95826d

      SHA256

      86cd8a8dc5228014e559788e7a0f5ed6fef637691bf53111e9eab4187a0652ab

      SHA512

      49ee75b71223ed47ae81a089247ff3002d50f70ede8e57af42f73745bbf7cb8ee7c71c1ab5da9d967fbe0b2f9de5dad70f4a7f4cfe44ba104d5a60be53eccabf

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4uidhoz.dzr.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\uliqxd.exe
      Filesize

      1.5MB

      MD5

      5841e08c36ee75ba2d4002507ceb9be8

      SHA1

      c679478e7041b2c3f0659403e87dc1bf011e7f2c

      SHA256

      85905bb938abe1ea461869f73103f364f2dddaae579f35d460338a21db8b8056

      SHA512

      2fdd014e5c128e7bb6112cc3facf50dd413dbb7d9e705d7c3b21dd0a9d4717281d1bdb62bf416ed1e651bea8177db3d3ae0b3ac6ba729e0eb9010e694d8d7744

    • memory/568-177-0x0000000001540000-0x000000000154C000-memory.dmp
      Filesize

      48KB

    • memory/568-51-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
      Filesize

      10.8MB

    • memory/568-1-0x0000000000C50000-0x0000000000C68000-memory.dmp
      Filesize

      96KB

    • memory/568-0-0x00007FFFAE693000-0x00007FFFAE695000-memory.dmp
      Filesize

      8KB

    • memory/568-119-0x0000000002DA0000-0x0000000002DAC000-memory.dmp
      Filesize

      48KB

    • memory/568-115-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
      Filesize

      10.8MB

    • memory/1284-171-0x000001586BCF0000-0x000001586C0B4000-memory.dmp
      Filesize

      3.8MB

    • memory/1284-181-0x000001586E880000-0x000001586E89E000-memory.dmp
      Filesize

      120KB

    • memory/1284-182-0x000001586E8A0000-0x000001586E8AB000-memory.dmp
      Filesize

      44KB

    • memory/1284-180-0x000001586E870000-0x000001586E87D000-memory.dmp
      Filesize

      52KB

    • memory/1284-179-0x000001586DD50000-0x000001586DD59000-memory.dmp
      Filesize

      36KB

    • memory/1284-178-0x000001586E690000-0x000001586E6D6000-memory.dmp
      Filesize

      280KB

    • memory/3428-123-0x000000001C440000-0x000000001C45E000-memory.dmp
      Filesize

      120KB

    • memory/3428-122-0x000000001BF10000-0x000000001BF1D000-memory.dmp
      Filesize

      52KB

    • memory/3428-124-0x000000001BF20000-0x000000001BF2B000-memory.dmp
      Filesize

      44KB

    • memory/3428-121-0x000000001BEE0000-0x000000001BEE9000-memory.dmp
      Filesize

      36KB

    • memory/3428-120-0x000000001BE90000-0x000000001BED6000-memory.dmp
      Filesize

      280KB

    • memory/4000-72-0x00000000007D0000-0x0000000000902000-memory.dmp
      Filesize

      1.2MB

    • memory/4000-75-0x000000001B5C0000-0x000000001B5D6000-memory.dmp
      Filesize

      88KB

    • memory/4000-73-0x000000001B5A0000-0x000000001B5BC000-memory.dmp
      Filesize

      112KB

    • memory/4000-74-0x000000001B610000-0x000000001B660000-memory.dmp
      Filesize

      320KB

    • memory/4000-76-0x0000000002A50000-0x0000000002A5C000-memory.dmp
      Filesize

      48KB

    • memory/4392-18-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
      Filesize

      10.8MB

    • memory/4392-17-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
      Filesize

      10.8MB

    • memory/4392-14-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
      Filesize

      10.8MB

    • memory/4392-12-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
      Filesize

      10.8MB

    • memory/4392-13-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
      Filesize

      10.8MB

    • memory/4392-11-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
      Filesize

      10.8MB

    • memory/4392-10-0x000001191A880000-0x000001191A8A2000-memory.dmp
      Filesize

      136KB