Analysis Overview
SHA256
fd3e6807f8eaed1b3ae4a229c6d17584f4985665973320342a2016b79e3ad87d
Threat Level: Known bad
The file XClient.rar was found to be: Known bad.
Malicious Activity Summary
Xworm family
Process spawned unexpected child process
Detect Xworm Payload
Xworm
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 04:07
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 04:07
Reported
2024-05-31 04:10
Platform
win11-20240508-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
DcRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Xworm
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uliqxd.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\fontsaves.exe | N/A |
| N/A | N/A | C:\SavesDllcommon\System.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\Expensive 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\Expensive 3.1.exe" | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Windows\SysWOW64\SMI\Manifests\29c1c3cc0f7685 | C:\SavesDllcommon\fontsaves.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088 | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088 | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\en-US\5b884080fd4f94 | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Program Files\Windows Media Player\Visualizations\explorer.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Program Files\Windows Media Player\Visualizations\7a0fd90576e088 | C:\SavesDllcommon\fontsaves.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Migration\WTR\5940a34987c991 | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Windows\addins\csrss.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Windows\addins\886983d96e3d3e | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Windows\ImmersiveControlPanel\pris\dllhost.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Windows\ImmersiveControlPanel\pris\5940a34987c991 | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\winlogon.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
| File created | C:\Windows\Migration\WTR\dllhost.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
| File opened for modification | C:\Windows\Migration\WTR\dllhost.exe | C:\SavesDllcommon\fontsaves.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\uliqxd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\SavesDllcommon\fontsaves.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SavesDllcommon\System.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\SavesDllcommon\fontsaves.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\SavesDllcommon\System.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'
C:\Users\Admin\AppData\Local\Temp\uliqxd.exe
"C:\Users\Admin\AppData\Local\Temp\uliqxd.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\SavesDllcommon\gdNhr8l.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.bat" "
C:\SavesDllcommon\fontsaves.exe
"C:\SavesDllcommon\fontsaves.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\SavesDllcommon\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\SavesDllcommon\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\SavesDllcommon\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\SavesDllcommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ImmersiveControlPanel\pris\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\SavesDllcommon\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\SavesDllcommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\SavesDllcommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\XClient.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XClient" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\XClient.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\XClient.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\SMI\Manifests\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6py5WUoJqb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\SavesDllcommon\System.exe
"C:\SavesDllcommon\System.exe"
C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe
"C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004BC
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | loss-winners.gl.at.ply.gg | udp |
| US | 147.185.221.19:61007 | loss-winners.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 147.185.221.19:61007 | loss-winners.gl.at.ply.gg | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
| US | 147.185.221.19:61007 | loss-winners.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61007 | loss-winners.gl.at.ply.gg | tcp |
| RU | 141.8.192.6:80 | a0987391.xsph.ru | tcp |
Files
memory/568-0-0x00007FFFAE693000-0x00007FFFAE695000-memory.dmp
memory/568-1-0x0000000000C50000-0x0000000000C68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4uidhoz.dzr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4392-10-0x000001191A880000-0x000001191A8A2000-memory.dmp
memory/4392-11-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/4392-13-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/4392-12-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/4392-14-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/4392-17-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/4392-18-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e8eb51096d6f6781456fef7df731d97 |
| SHA1 | ec2aaf851a618fb43c3d040a13a71997c25bda43 |
| SHA256 | 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864 |
| SHA512 | 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 21017c68eaf9461301de459f4f07e888 |
| SHA1 | 41ff30fc8446508d4c3407c79e798cf6eaa5bb73 |
| SHA256 | 03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888 |
| SHA512 | 956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e0391d00f5bfbc34be70790f14d5edf |
| SHA1 | fcb04d8599c23967de4f154a101be480933ab0d0 |
| SHA256 | 1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136 |
| SHA512 | 231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a |
memory/568-51-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uliqxd.exe
| MD5 | 5841e08c36ee75ba2d4002507ceb9be8 |
| SHA1 | c679478e7041b2c3f0659403e87dc1bf011e7f2c |
| SHA256 | 85905bb938abe1ea461869f73103f364f2dddaae579f35d460338a21db8b8056 |
| SHA512 | 2fdd014e5c128e7bb6112cc3facf50dd413dbb7d9e705d7c3b21dd0a9d4717281d1bdb62bf416ed1e651bea8177db3d3ae0b3ac6ba729e0eb9010e694d8d7744 |
C:\SavesDllcommon\gdNhr8l.vbe
| MD5 | 67750c3e2cc7970484d8e1f3e95c4454 |
| SHA1 | b4a6e933dfda3db9a2663798f421a2b06a0c5b35 |
| SHA256 | a5c935975dff3bdbd1fd9c63abc8c47d2e24dd408dd5d0760b8af2db291c9655 |
| SHA512 | d794c9fdc99334fe3627d03e63e41d67a6f47e5b1601eb3c4c9cd037dd6b74c238e3bd8510c7755fd4e6f366b140bf9b82d6fbe734237ee8d44de51a193c1fa9 |
C:\SavesDllcommon\BRvogp3keJwY6M0FyR4uWbtTK.bat
| MD5 | 0a9ef172b5e9daeb9c3366842676eac9 |
| SHA1 | 18ce47e6f7a7dc2a4c0882a7fa1e69bc91f22cd2 |
| SHA256 | 4193c6cb4fcc0e633a062825fc4b510d826d68063be74cf7f37d5db3a75ea2b6 |
| SHA512 | dc1985d420f4d7058529acd1afce2bd9e047f95074a3f12ca0923903bb3dab615fb938464d6a75adfd4a890aa3eeda9797c13bfb867bb02e02945af3c108d563 |
C:\SavesDllcommon\fontsaves.exe
| MD5 | 73ace1b8b0f1b1c088f11ee29b13ae6b |
| SHA1 | 4b7fa04aacb5a23ab37b9caaee8f852a1bd33bbc |
| SHA256 | 8be76a2960a823f9284836868172eff28b64de44daba8b09f91ff678bb22d614 |
| SHA512 | 1e13cc8ac20c9e10cd13f78cb54e75b23ad255d1601d45ee78770f3cb74fe5e9bb3e84d8ca8f7c44659365da45a79b72be85d6433a8bbbac79b925839cc7e4d1 |
memory/4000-72-0x00000000007D0000-0x0000000000902000-memory.dmp
memory/4000-73-0x000000001B5A0000-0x000000001B5BC000-memory.dmp
memory/4000-75-0x000000001B5C0000-0x000000001B5D6000-memory.dmp
memory/4000-74-0x000000001B610000-0x000000001B660000-memory.dmp
memory/4000-76-0x0000000002A50000-0x0000000002A5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6py5WUoJqb.bat
| MD5 | 6427be0302c789764be5d54f7e002a0a |
| SHA1 | ac7f0dc923bea68b72d321b4770e5d70eaa8c9e2 |
| SHA256 | ec42526166d1e5aa74bd6015cb52224f553a437f39c36516a1f1d79340d02b19 |
| SHA512 | 5eefe384774b8b754e9428aed6fdfcf8649c0b5204d67798fa3f0cebd09a143eae2e5e4accdb168db53c370042faeb488b191b2b3a68b52a25e1b8f155fdb620 |
memory/568-115-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/568-119-0x0000000002DA0000-0x0000000002DAC000-memory.dmp
memory/3428-120-0x000000001BE90000-0x000000001BED6000-memory.dmp
memory/3428-122-0x000000001BF10000-0x000000001BF1D000-memory.dmp
memory/3428-121-0x000000001BEE0000-0x000000001BEE9000-memory.dmp
memory/3428-123-0x000000001C440000-0x000000001C45E000-memory.dmp
memory/3428-124-0x000000001BF20000-0x000000001BF2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Meatspin_FULL.exe
| MD5 | 137c1b0243beb35b6a0b6dbe632dc341 |
| SHA1 | b710da533d9a33f4d7fc78d317bbcee8dc95826d |
| SHA256 | 86cd8a8dc5228014e559788e7a0f5ed6fef637691bf53111e9eab4187a0652ab |
| SHA512 | 49ee75b71223ed47ae81a089247ff3002d50f70ede8e57af42f73745bbf7cb8ee7c71c1ab5da9d967fbe0b2f9de5dad70f4a7f4cfe44ba104d5a60be53eccabf |
memory/1284-171-0x000001586BCF0000-0x000001586C0B4000-memory.dmp
memory/568-177-0x0000000001540000-0x000000000154C000-memory.dmp
memory/1284-181-0x000001586E880000-0x000001586E89E000-memory.dmp
memory/1284-182-0x000001586E8A0000-0x000001586E8AB000-memory.dmp
memory/1284-180-0x000001586E870000-0x000001586E87D000-memory.dmp
memory/1284-179-0x000001586DD50000-0x000001586DD59000-memory.dmp
memory/1284-178-0x000001586E690000-0x000001586E6D6000-memory.dmp