Malware Analysis Report

2024-09-11 14:49

Sample ID 240610-wtbs4swbpk
Target Microsoft Network Realtime inspection.exe
SHA256 df694262ddbf073b4d8d30cdbbe465290e23886f66031ae3cfe9c887a85e4217
Tags
xworm ramnit banker execution persistence rat spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df694262ddbf073b4d8d30cdbbe465290e23886f66031ae3cfe9c887a85e4217

Threat Level: Known bad

The file Microsoft Network Realtime inspection.exe was found to be: Known bad.

Malicious Activity Summary

xworm ramnit banker execution persistence rat spyware stealer trojan upx worm

Xworm

Xworm family

Ramnit

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Looks up external IP address via web service

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-10 18:12

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 18:12

Reported

2024-06-10 18:15

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Ramnit

trojan spyware stealer worm banker ramnit

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pemeuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\behvqz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vusijs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\okqsdg.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zmhlqk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zmhlqkSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jiwyij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\behvqz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vusijs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\okqsdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zmhlqk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zmhlqkSrv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\TLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\TLauncher" C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px696.tmp C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px162F.tmp C:\Users\Admin\AppData\Local\Temp\okqsdg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\okqsdg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\zmhlqkSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px77CF.tmp C:\Users\Admin\AppData\Local\Temp\zmhlqkSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px6F85.tmp C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{258519B1-2755-11EF-A336-7EEA931DE775} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4DD1A0F1-2755-11EF-A336-7EEA931DE775} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424205083" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pemeuv.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jiwyij.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 2184 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 2184 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 1896 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1896 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1896 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 2184 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\pemeuv.exe
PID 2184 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\pemeuv.exe
PID 2184 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\pemeuv.exe
PID 2184 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\pemeuv.exe
PID 2184 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\behvqz.exe
PID 2184 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\behvqz.exe
PID 2184 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\behvqz.exe
PID 2184 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\behvqz.exe
PID 2004 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\behvqz.exe C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe
PID 2004 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\behvqz.exe C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe
PID 2004 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\behvqz.exe C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe
PID 2004 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\behvqz.exe C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe
PID 1740 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1740 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1740 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1740 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2756 wrote to memory of 1780 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 1780 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 1780 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 1780 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1780 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1780 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1780 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1780 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1896 wrote to memory of 932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1896 wrote to memory of 932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1896 wrote to memory of 932 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 2184 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\vusijs.exe
PID 2184 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\vusijs.exe
PID 2184 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\vusijs.exe
PID 2184 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\vusijs.exe
PID 2724 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\vusijs.exe C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe
PID 2724 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\vusijs.exe C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe
PID 2724 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\vusijs.exe C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe
PID 2724 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\vusijs.exe C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe
PID 2308 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2308 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2308 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2308 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1388 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1388 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1388 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1388 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1780 wrote to memory of 1968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1780 wrote to memory of 1968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1780 wrote to memory of 1968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"

C:\Windows\system32\taskeng.exe

taskeng.exe {0FAFACC6-7E24-4754-9229-355E04FE796A} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Local\Temp\pemeuv.exe

"C:\Users\Admin\AppData\Local\Temp\pemeuv.exe"

C:\Users\Admin\AppData\Local\Temp\behvqz.exe

"C:\Users\Admin\AppData\Local\Temp\behvqz.exe"

C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe

C:\Users\Admin\AppData\Local\Temp\behvqzSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Local\Temp\vusijs.exe

"C:\Users\Admin\AppData\Local\Temp\vusijs.exe"

C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe

C:\Users\Admin\AppData\Local\Temp\vusijsSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:406533 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\okqsdg.exe

"C:\Users\Admin\AppData\Local\Temp\okqsdg.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:4011014 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\zmhlqk.exe

"C:\Users\Admin\AppData\Local\Temp\zmhlqk.exe"

C:\Users\Admin\AppData\Local\Temp\zmhlqkSrv.exe

C:\Users\Admin\AppData\Local\Temp\zmhlqkSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:4011019 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\jiwyij.exe

"C:\Users\Admin\AppData\Local\Temp\jiwyij.exe"

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 listing-trackbacks.gl.at.ply.gg udp
US 147.185.221.20:15337 listing-trackbacks.gl.at.ply.gg tcp
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2184-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

memory/2184-1-0x00000000011E0000-0x00000000011F4000-memory.dmp

memory/2184-2-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

memory/2748-7-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

memory/2748-8-0x00000000024A0000-0x00000000024A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b3f0e5787439bd0780105f8070e8e832
SHA1 6a20f1e64768502f3fa5b2d4341380f32765c9a9
SHA256 89c4ca8e204678f2c0aaf7a938226b3ebb747f461255b90e270726e44974aca7
SHA512 5d3343ec7d33e339dcec9fbf8fac297c847a3ae3c3c971ef35ca38d5ff989bb27f07bb15cab7282ee89f2ed43ca7aefbc17f45e805601202c949f97ff3b2be7d

memory/2404-14-0x000000001B230000-0x000000001B512000-memory.dmp

memory/2404-15-0x00000000023A0000-0x00000000023A8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2184-31-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

C:\Users\Admin\AppData\Roaming\TLauncher

MD5 bf83a3bdf8dc39cad91cb8a0dd356aef
SHA1 42803f697127fd92b5cc38bfca7c4853a82a986f
SHA256 df694262ddbf073b4d8d30cdbbe465290e23886f66031ae3cfe9c887a85e4217
SHA512 8f047643be1c1758b31e489be2dbc8f86ab58247cc2d95e84d28acc489600271b933d63efe73131953dd8be5cc659fe0caae09714c68f1f8aa4f8a6d8ac03bcb

memory/2244-35-0x00000000009E0000-0x00000000009F4000-memory.dmp

memory/2184-36-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pemeuv.exe

MD5 19796e0d82a76be6dafa5cb7b80e2506
SHA1 ce7d0842683febfbc4e52278a25f75e29ccf6155
SHA256 65d4c633bf347ed4766dbb6e003776a017ccb632d73c6138c3e880a94c114c2d
SHA512 049111891524683fd63036355f02006ca1fd69478aa9597050f1bbeda256b25ce9f28684df80d169d50dcc01a8cbdb17e78b82ea4d49d71b9ee72588bd1e6fbb

C:\Users\Admin\AppData\Local\Temp\behvqz.exe

MD5 c1de9eca3223daed0bc2ae4816193d94
SHA1 802d287f4b04454349ca29edf759c8a17c1001fa
SHA256 da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA512 1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

memory/2004-53-0x0000000000400000-0x000000000041D000-memory.dmp

\Users\Admin\AppData\Local\Temp\behvqzSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2004-57-0x0000000000220000-0x000000000024E000-memory.dmp

memory/1740-66-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2756-69-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2756-71-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8D53.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar8F01.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d48a6064126cbfc487174bd644f3a9f
SHA1 a10a7f2f2dea21851f54076a7a26d37b4a7120a7
SHA256 78078b4c5a1e4723e3b89ccd26fb561d91f7df476a678986ba772ff24817b920
SHA512 b1025348c88e416846093677fba00370420356a16efec1679a9e954633c0d123c4785ebf5a9675f7565de8eff972d52a64d87add82afb2d58730fa58bc6b39a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e113fae7f64a0b0b89756d4fb6a4a104
SHA1 68e46deb7b298557b2537b735d17b96ce04f9c95
SHA256 ba4b35154ebb6de633bba310c70d5ed249af89f04cd2215debbc4c5aee232a36
SHA512 69306f810d1afe0d3284ff7529f46fc837594294fe7a00ab8a2e9a26e7a2231c1fb77d74aaf08e3f85640c97fd698bc652a2f8764c3bcc9d902b5d0c30848e7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de149365c7d919306eb0432a28a621dc
SHA1 7009db14c990b2fa1b4bca311def8fbe2f7d54ed
SHA256 ed6ff67a946473aee39373cb939aa3c0e9844cd76fbc846cb8c6b9d7db2571bc
SHA512 a7eb356ec55bda6e040c27c9684640f530ee6c3508acc8121a7bc607aaf7b56bea14cffeb9ff6d4773352d190096746b99cb65ed9ea5450d5a726adc5601a8e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 384926e54c3d5c7e5bbef0c9c3925a7f
SHA1 9c1bcb53f3dd8deab2172f1be2f4cca8adf6f01c
SHA256 65da953ad1fbacb7386360117ce5606a0729b171e8fa8f09d098fc92f37d04cb
SHA512 bc6032e159bded87d1f914354297edf4570692bf4b101bd63e4cc87267f51575df8e1f1144ccd4a31719462e67161f6f55d028465bcb9f123eaf4a7095da4722

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 807b595b9c857770e4e5dd5466a31fe0
SHA1 33835aff9c5acdfba86db7c6d80bc366f1ca052e
SHA256 13cd341c311e870a57a0b8946a25f072098419eb4cb5e6630fab71f41145b48f
SHA512 52fa092322245379565f29f3a285a9ea34befc032bc1aaffbc9b997468d0a3b6e140b70d6d2485200226633d713db4e7967725e954873c9b79e24ffb5549a7f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77a002aadc08b88a24db58aff6c57281
SHA1 fee08e9a033ed41add3f2c1b6425cbadf6b9d038
SHA256 40854ab25f4e3f22df618c4735c6dbc9c677c83e3695fc39ae5d1e1dda2bc507
SHA512 e45c71f3e9c18081a336f9adfc1dfd50be2a1404858e4c9054fb7f795d477c81acb784d1b4e3da1b4c419a100167c38424dde4d30f9c00dad3f11879021ede29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f040b53f44d684b23af6ef577e58dba4
SHA1 1a9c3c215a65bd938669dda53c8daaf8e509d39a
SHA256 77e10dc5ebebfa0cfaee24219f94e66f93de6470ec9adfa9b5be4d976a9d722c
SHA512 cb4db64b5c357de6903bf7569dc6bf670a5a0ba396369ce02ada658413d81e992a3dd0f4d0062136daae1cdba084e4b527682517e4539cb4d121a799b72804ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0400d909e7b4805c1cf334982f60aaa5
SHA1 4df991ccf52d347b9ad2627ffdbb420338fb5e4c
SHA256 80421d77caebc3078d56b7f5605c5764e2893a0626644f1513b211e3d3223efa
SHA512 8d313eda288ccf2a5032b10883be0640e425c0e566ce52144b08ba2bee69a524204f78933a5b036119d26ae106e56d9379a6211e63164a30795993b49c907e28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d83494c172116e65b43a8a115440b180
SHA1 ac12a382324e11269d8bdc23d96f1138d6a5d0e3
SHA256 cc04d65305243c41830cac37fedcb5b16d1b20cede8504b832953a79c80bd5c0
SHA512 d062b3161819019d0c9602013952ccc253d417c3db52a9a3b36ead5da80202dbe61b1d73450e248c3756f44b9bce326304eb6b4a05a7ad16ee3e9f8ff323690b

memory/2004-547-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2004-548-0x0000000000400000-0x000000000041D000-memory.dmp

memory/932-550-0x0000000000230000-0x0000000000244000-memory.dmp

memory/2004-551-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vusijs.exe

MD5 9a1b04a62283ab9848be4331ba124d0c
SHA1 f83fdad90c24e41987b44a022db3856c9ff22368
SHA256 3c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a
SHA512 393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc

memory/2724-559-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2308-565-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2308-572-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2004-577-0x0000000000400000-0x000000000041D000-memory.dmp

memory/960-590-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1664-591-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1664-593-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2724-595-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2004-596-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2004-597-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6723837f94d5e8c90d7ab4200ed1c50c
SHA1 b323ecd8228ef0e62b995b2128d806456e6540b5
SHA256 a7e10a5e00d8bd4a678d24d75dd5ca389b4b8ecc22adaeb22b02246605f92baa
SHA512 28c2befba439690eb5346b6cfa9f8cd1a54d74e1421157ce0668cbbd73b6e8c8be5c5216e04b2b8d4670e9a749b42a6b8dbf56b6b293aeb851e9918e851209d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13e29de91014e1b9100b8bee0949ffa6
SHA1 d1728cb137e95aef80bab89b0842a8ecf33dd6a8
SHA256 d75a2bc7630b93ab8868f826b97d60d3e3711df5361a45a0735dee80416e1ed7
SHA512 f4ab2a4b2f137c3d7ff6b9d0d1ba0306ca982edcc2bb95042634fb8a8f6e3267ec4ec6e1d4cb13e6f552b91a7f99f76d835ff7b68fb15adf168b7c3cb9a33831

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d51f3bc8e0b85b0f428084b28c689b7e
SHA1 55b7fd8f90150a6c56169ffaca0a5f107832d180
SHA256 07016930e5e78fdad00e40f5bedc99ba9b2afcede0a73da30b28e320bd70bd67
SHA512 b5ecf760088f628f56157331373be9e4ed128ea011168aaefac439c45af3ad4d17895b387e167a6ce2e31765bbfc6e359a6b0143fa930503ba4a8773d7c0a97c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7d5927f138cb7d8d5272f3a36ce3965
SHA1 4d9514618e86a521b5e82646b5ccb77f404de3fe
SHA256 9b7a6854cc55ac3b3974531b4926e30376ec9eb770ea5cc06554a3e4ce6530bf
SHA512 fecc66aebd94cde43015ad2a9f1a34379a5240ac3b16798984d534194fba3be4ec61c61287fc6623da49c3cee5f2f2e71dc81b8fa0937451e9f3db48f32692f2

C:\Users\Admin\AppData\Local\Temp\zmhlqk.exe

MD5 73d51997f201501a641743db5494f864
SHA1 01a10a3f7d3e62e70538273285f4f4ef75793465
SHA256 7d0eb3c271e15811bfce3acebdbe17cb7d91ed01b988092d050ab9b88bbf367f
SHA512 28549142ffc196a5b23110f1999f56c25491ab3c31f2a3896bdb57d8fcb852487fb3e7b648366f998decfbdb910aadf74036729d24660ab9a1972aea190310eb

memory/1296-743-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1296-762-0x0000000000220000-0x000000000024E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d0e734b414db9d146397f11b5ad8b45
SHA1 59ecfab1c4b547c61af17100f288137c4fe15b6f
SHA256 55fabc7269f3d56a5abdda6bcd585ccc67486afd58f06db3eb172fe5df389742
SHA512 4b094522c44c758f0df884c4a24786a3be4747fc8c11a57dda3f2119635f83bd54e306bd0f123b020a7394213fe8511db44e6b268eff2625644dad2cc649f1eb

memory/2328-798-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2328-796-0x0000000000240000-0x000000000026E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 095d503305f7e0829ff4dee088d24ac8
SHA1 192441b61588a66e3d72727c4361743afd0590a4
SHA256 648fee6a05a17a3156f68dc042fa31500f763ce4b95cb8d0f66e8b0378118902
SHA512 74001e17fc7882ac650f0d570576f754a27ae8fb27101507808133c72d226f0f019b8b8a39e3b84ed57a6189ce6b3a841b0f99c59c59603d01f260e180753ad5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be38e115494b5d7ab61167ff920014d3
SHA1 1eecc719de3c4dc46c8d61d662e227415ebb1751
SHA256 7e11c811c895d8f6388a523df289223fbe5553dfd007b8dbc2f154de6f8ed673
SHA512 ef4c1fa48074a56b5a70fbc7230dae978b26d094803f952fc02ab110c20c5c9200b7f9b681b250d8b11eae653a72c7ea4762bd8758091b98a62e38a6e070b015

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b31977a54c687d03741a313a8c35196
SHA1 d52c77e361aad68eb7515a65cd1ac447ecefe851
SHA256 c93074a64e6a449c5729adeeac0328a20a1e56e87d7953fcc9de30a380161382
SHA512 3550083d13fc4c000defe7ceb42677bbbf3a2f327ded97f765e53dce6c79fc03489d8ee4dab9583df8c84b50b2e15401f6d0c14decc248f02abe4984b62e8838

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77bbc5966e8d644f8d34b7ae44eb97d0
SHA1 6d6f66cb9c6818e064c221a6ae3b0a1325535642
SHA256 4919c65cba0565ac51b8bbeb132b112bf0f6d0c3f823f07c4cf8551884acdc3c
SHA512 9d6afcfd4d20ce1e64bc564955ccf706d2ffa047bb49567da089f7776a146d24621895313aa589a0cbd5f3f9947868baaaf353cbebbf7327a84d31a09353241f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48fdf9a20588625071339535dcfd04d9
SHA1 2f780d5b932c05f949e411dda8852945adba8cd0
SHA256 7d43b7fb303b1e676d039f33bb8171d173801456f936020475bdf03ab794b703
SHA512 fb1074bba860fddc15662803b9466e67a268829194df9a628b89d1a6dd7fd2f8b54c2cd07d2991eabcddfb91f874975bf0eea1e5de1520374f149c19e680cb68

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{258519B1-2755-11EF-A336-7EEA931DE775}.dat

MD5 05efc95b18ab8d2414353336b7c36206
SHA1 c58c1bc17426e9d102c5c00f3132eb8af662d51d
SHA256 85625886c463b860c3bc276bd36a5695a0c7ee4f0097b94137e81d5f8c236d9d
SHA512 e23eb2b913ee42632a3e569f7d3e6a38025b84649e89643b9ad60a84cfe877a995088e9f73aae51d799998f5055826d38f39f89402bd901a5735a5349dfe7f80

memory/1296-1106-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jiwyij.exe

MD5 62cbb85434223022a0b0e369b227a3d9
SHA1 4978b691168f16c678a1ffe53e126ba1d946bce0
SHA256 ea3087204e3ed644308a0a96bbf319590a9b2701ac850bb63f2ba3dc4955f1fd
SHA512 f76d281ce4c4401315f811dba1512757fa59a9c1ca6486c006f7861aed793a1f196fd66b772405374a751f383b5a234234e64de16f2fe9d613694e354b882f69

memory/1296-1117-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2396-1119-0x0000000000140000-0x0000000000154000-memory.dmp

memory/1296-1120-0x0000000000220000-0x000000000024E000-memory.dmp

memory/1296-1121-0x0000000000400000-0x0000000000459000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 18:12

Reported

2024-06-10 18:15

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\TLauncher" C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1416 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1416 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1416 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1416 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1416 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1416 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1416 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1416 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 1416 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 listing-trackbacks.gl.at.ply.gg udp

Files

memory/1416-0-0x00007FF816413000-0x00007FF816415000-memory.dmp

memory/1416-1-0x00000000002A0000-0x00000000002B4000-memory.dmp

memory/1416-2-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0bncj3lf.tkl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3016-12-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/3016-13-0x0000021559E80000-0x0000021559EA2000-memory.dmp

memory/3016-14-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/3016-15-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/3016-18-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 819f2de3404bd9867c2f07b072e55f78
SHA1 61a4508134c59e7adc529f195bca0969beb2ec46
SHA256 a2f25c887b1725514f0d5b93c1dbb5938e14d4248dd7c76c98d0caaf9fa2cfbe
SHA512 4319ec8129a28d336b8283622f7176caad212b9459d3e2a67f911245d2a2c24f6eee32ad6ac8122da8beb6bd58c34e61678d5380c336af5b1e5530ad402cd9a6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da5c82b0e070047f7377042d08093ff4
SHA1 89d05987cd60828cca516c5c40c18935c35e8bd3
SHA256 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA512 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

memory/1416-56-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

C:\Users\Admin\AppData\Roaming\TLauncher

MD5 bf83a3bdf8dc39cad91cb8a0dd356aef
SHA1 42803f697127fd92b5cc38bfca7c4853a82a986f
SHA256 df694262ddbf073b4d8d30cdbbe465290e23886f66031ae3cfe9c887a85e4217
SHA512 8f047643be1c1758b31e489be2dbc8f86ab58247cc2d95e84d28acc489600271b933d63efe73131953dd8be5cc659fe0caae09714c68f1f8aa4f8a6d8ac03bcb

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TLauncher.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1