Malware Analysis Report

2024-12-07 14:21

Sample ID 241121-ylwjnazpcp
Target 752966b8834739951d9ca0e169f7750b7d74363db3fb9e1af55ab44e692ad578
SHA256 752966b8834739951d9ca0e169f7750b7d74363db3fb9e1af55ab44e692ad578
Tags
xloader pdrq discovery execution loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

752966b8834739951d9ca0e169f7750b7d74363db3fb9e1af55ab44e692ad578

Threat Level: Known bad

The file 752966b8834739951d9ca0e169f7750b7d74363db3fb9e1af55ab44e692ad578 was found to be: Known bad.

Malicious Activity Summary

xloader pdrq discovery execution loader rat

Xloader

Xloader family

Xloader payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Scheduled Task/Job: Scheduled Task

Gathers network information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 19:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 19:52

Reported

2024-11-21 19:55

Platform

win7-20240903-en

Max time kernel

148s

Max time network

20s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader family

xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cscript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 880 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 880 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 880 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 880 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 880 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 880 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 880 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 880 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 880 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1236 wrote to memory of 2340 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 1236 wrote to memory of 2340 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 1236 wrote to memory of 2340 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 1236 wrote to memory of 2340 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 2340 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe

"C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jDocKhQ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDocKhQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1E.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\cscript.exe

"C:\Windows\SysWOW64\cscript.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/880-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

memory/880-1-0x0000000001390000-0x0000000001460000-memory.dmp

memory/880-2-0x00000000746E0000-0x0000000074DCE000-memory.dmp

memory/880-3-0x00000000005E0000-0x00000000005F6000-memory.dmp

memory/880-4-0x00000000746EE000-0x00000000746EF000-memory.dmp

memory/880-5-0x00000000746E0000-0x0000000074DCE000-memory.dmp

memory/880-6-0x0000000000650000-0x000000000065A000-memory.dmp

memory/880-7-0x00000000059A0000-0x0000000005A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF1E.tmp

MD5 5cb1cde5f7371d59d9c2c2b0c7be3b13
SHA1 29fbd1544a4e82144f5cfb9d0ad67ab7b2bdca2a
SHA256 0113dbbd9795205d4fa0f8e9c314e3b35f7dbea03c25dabdb9ebf83e02f1140d
SHA512 947c8a04c34ae8ae3ac82cec90dc02029eff170a3dce5dd54d5248c0e5bf778f1cea77c8f0e5ba05acf0a3a852efd5705e9a3472aa39236fc1e51917a23fa981

memory/880-15-0x0000000005F70000-0x0000000005FE0000-memory.dmp

memory/2868-16-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2868-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2868-21-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2868-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/880-22-0x00000000746E0000-0x0000000074DCE000-memory.dmp

memory/2340-24-0x0000000000A20000-0x0000000000A42000-memory.dmp

memory/2340-25-0x0000000000170000-0x000000000019B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 19:52

Reported

2024-11-21 19:55

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader family

xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3976 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3976 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3976 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3976 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\schtasks.exe
PID 3976 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\schtasks.exe
PID 3976 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\SysWOW64\schtasks.exe
PID 3976 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3976 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3540 wrote to memory of 3552 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\ipconfig.exe
PID 3540 wrote to memory of 3552 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\ipconfig.exe
PID 3540 wrote to memory of 3552 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\ipconfig.exe
PID 3552 wrote to memory of 4284 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4284 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4284 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe

"C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jDocKhQ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDocKhQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D1F.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\SysWOW64\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 137.36.72.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.gregoryzeitler.com udp
US 3.131.150.69:80 www.gregoryzeitler.com tcp
US 8.8.8.8:53 69.150.131.3.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.e-powair.com udp
US 8.8.8.8:53 www.koalaglen.com udp
US 8.8.8.8:53 www.wiresofteflon.com udp
US 99.83.176.46:80 www.wiresofteflon.com tcp
US 8.8.8.8:53 46.176.83.99.in-addr.arpa udp
US 8.8.8.8:53 www.razaancreates.com udp
US 8.8.8.8:53 www.berendsit.com udp
US 8.8.8.8:53 www.sfbayraw.net udp
US 206.188.193.213:80 www.sfbayraw.net tcp
US 8.8.8.8:53 213.193.188.206.in-addr.arpa udp
US 8.8.8.8:53 www.3559.fyi udp
US 8.8.8.8:53 www.yndzjs.com udp
US 8.8.8.8:53 www.dj-mary.com udp
US 8.8.8.8:53 www.gurulotaska.com udp

Files

memory/3976-0-0x000000007468E000-0x000000007468F000-memory.dmp

memory/3976-1-0x0000000000340000-0x0000000000410000-memory.dmp

memory/3976-2-0x0000000005480000-0x0000000005A24000-memory.dmp

memory/3976-3-0x0000000004DD0000-0x0000000004E62000-memory.dmp

memory/3976-4-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

memory/3976-5-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/3976-6-0x0000000006140000-0x00000000061DC000-memory.dmp

memory/3976-7-0x0000000004F70000-0x0000000004F86000-memory.dmp

memory/3976-8-0x000000007468E000-0x000000007468F000-memory.dmp

memory/3976-9-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/3976-10-0x0000000006120000-0x000000000612A000-memory.dmp

memory/3976-11-0x0000000007E30000-0x0000000007ED6000-memory.dmp

memory/1672-16-0x00000000023A0000-0x00000000023D6000-memory.dmp

memory/1672-18-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/1672-17-0x0000000004E50000-0x0000000005478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5D1F.tmp

MD5 0a89311ba22c912a0c35225233aea433
SHA1 0e73992b5a8f7fb84a8abc7d150afecd7a4743be
SHA256 7b0ca00c180f1ec28e4afd90db7f1360d7dba54000a66d87f29e398bbbc86f1b
SHA512 6b14a6fe2be38d784ba96c45f7029ea7cbed21813e2eb6b41b76bbf462b7cbc3f9ed258f751f93f5c7a0042a31c2c36ff7c39e3a8155fc230966b0a84e6e5cd3

memory/1672-20-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/3976-21-0x0000000007FD0000-0x0000000008040000-memory.dmp

memory/1672-22-0x0000000004D40000-0x0000000004D62000-memory.dmp

memory/1748-25-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1672-24-0x0000000005480000-0x00000000054E6000-memory.dmp

memory/1672-23-0x0000000004DE0000-0x0000000004E46000-memory.dmp

memory/1672-26-0x0000000074680000-0x0000000074E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3wp3h23.orp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1672-33-0x0000000005680000-0x00000000059D4000-memory.dmp

memory/1748-39-0x0000000001060000-0x00000000013AA000-memory.dmp

memory/3976-38-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/1672-40-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/1672-41-0x00000000060B0000-0x00000000060FC000-memory.dmp

memory/3540-45-0x0000000008960000-0x0000000008B00000-memory.dmp

memory/1748-44-0x0000000001010000-0x0000000001021000-memory.dmp

memory/1748-43-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1672-46-0x000000007EFF0000-0x000000007F000000-memory.dmp

memory/1672-47-0x00000000062A0000-0x00000000062D2000-memory.dmp

memory/1672-48-0x0000000074F10000-0x0000000074F5C000-memory.dmp

memory/1672-58-0x0000000002460000-0x0000000002470000-memory.dmp

memory/1672-59-0x0000000006280000-0x000000000629E000-memory.dmp

memory/1672-60-0x0000000006EA0000-0x0000000006F43000-memory.dmp

memory/1672-61-0x0000000007630000-0x0000000007CAA000-memory.dmp

memory/1672-62-0x0000000006FF0000-0x000000000700A000-memory.dmp

memory/1672-63-0x0000000007060000-0x000000000706A000-memory.dmp

memory/1672-64-0x0000000007270000-0x0000000007306000-memory.dmp

memory/1672-65-0x00000000071F0000-0x0000000007201000-memory.dmp

memory/1672-66-0x0000000007220000-0x000000000722E000-memory.dmp

memory/1672-67-0x0000000007230000-0x0000000007244000-memory.dmp

memory/1672-68-0x0000000007330000-0x000000000734A000-memory.dmp

memory/1672-69-0x0000000007310000-0x0000000007318000-memory.dmp

memory/1672-70-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/1672-73-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/1748-75-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3540-76-0x0000000008960000-0x0000000008B00000-memory.dmp

memory/3552-77-0x00000000001D0000-0x00000000001DB000-memory.dmp

memory/3552-78-0x0000000000600000-0x000000000062B000-memory.dmp

memory/3540-82-0x0000000008CD0000-0x0000000008DE5000-memory.dmp