Malware Analysis Report

2024-11-13 16:19

Sample ID 240824-xj8wjawblq
Target downloader11.exe
SHA256 769e75f011679a606c9a6afbb6380942d08389ace334bfa7399b44bfcbc7db19
Tags
xworm agilenet evasion execution persistence rat themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

769e75f011679a606c9a6afbb6380942d08389ace334bfa7399b44bfcbc7db19

Threat Level: Known bad

The file downloader11.exe was found to be: Known bad.

Malicious Activity Summary

xworm agilenet evasion execution persistence rat themida trojan

Xworm

Detect Xworm Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Drops startup file

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-24 18:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-24 18:54

Reported

2024-08-24 18:57

Platform

win7-20240705-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\downloader11.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Public\svhost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Public\OneDrive.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Public\OneDrive.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Public\svhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk C:\Users\Public\WmiPrvSE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk C:\Users\Public\SecurityHealthSystray.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk C:\Users\Public\SecurityHealthSystray.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Public\Runtime Broker.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk C:\Users\Public\WmiPrvSE.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Users\\Public\\WmiPrvSE.exe" C:\Users\Public\WmiPrvSE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe" C:\Users\Public\SecurityHealthSystray.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" C:\Users\Public\svhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Runtime Broker.exe" C:\Users\Public\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe" C:\Users\Public\Runtime Broker.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\OneDrive.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\SecurityHealthSystray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\SecurityHealthSystray.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\OneDrive.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SecurityHealthSystray.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SecurityHealthSystray.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SecurityHealthSystray.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\WmiPrvSE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 1976 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\notepad.exe
PID 1976 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\notepad.exe
PID 1976 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\notepad.exe
PID 2344 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\OneDrive.exe
PID 2344 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\OneDrive.exe
PID 2344 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\OneDrive.exe
PID 2344 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\Runtime Broker.exe
PID 2344 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\Runtime Broker.exe
PID 2344 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\Runtime Broker.exe
PID 2344 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\svhost.exe
PID 2344 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\svhost.exe
PID 2344 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\svhost.exe
PID 2344 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\WmiPrvSE.exe
PID 2344 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\WmiPrvSE.exe
PID 2344 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\WmiPrvSE.exe
PID 2344 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\SecurityHealthSystray.exe
PID 2344 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\SecurityHealthSystray.exe
PID 2344 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\SecurityHealthSystray.exe
PID 2868 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 1116 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1116 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1116 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 1388 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 1388 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 1388 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2416 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2416 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2416 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2272 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2272 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2272 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1624 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1624 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1624 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 1764 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 1764 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 1764 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1904 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1904 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1904 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 3024 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 3024 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 3024 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2308 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2308 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2308 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1464 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1464 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1464 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 1524 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 1524 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 1524 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1572 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1572 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1572 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2288 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\downloader11.exe

"C:\Users\Admin\AppData\Local\Temp\downloader11.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""

C:\Users\Admin\AppData\Local\Temp\notepad.exe

"C:\Users\Admin\AppData\Local\Temp\notepad.exe"

C:\Users\Public\OneDrive.exe

"C:\Users\Public\OneDrive.exe"

C:\Users\Public\Runtime Broker.exe

"C:\Users\Public\Runtime Broker.exe"

C:\Users\Public\svhost.exe

"C:\Users\Public\svhost.exe"

C:\Users\Public\WmiPrvSE.exe

"C:\Users\Public\WmiPrvSE.exe"

C:\Users\Public\SecurityHealthSystray.exe

"C:\Users\Public\SecurityHealthSystray.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\OneDrive.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\SecurityHealthSystray.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Public\WmiPrvSE.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {43535C7F-18BB-4F13-AC2F-B699BDA212AA} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

C:\Users\Public\WmiPrvSE.exe

C:\Users\Public\WmiPrvSE.exe

C:\ProgramData\SecurityHealthSystray.exe

C:\ProgramData\SecurityHealthSystray.exe

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

C:\ProgramData\SecurityHealthSystray.exe

C:\ProgramData\SecurityHealthSystray.exe

C:\Users\Public\WmiPrvSE.exe

C:\Users\Public\WmiPrvSE.exe

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

C:\Users\Public\WmiPrvSE.exe

C:\Users\Public\WmiPrvSE.exe

C:\ProgramData\SecurityHealthSystray.exe

C:\ProgramData\SecurityHealthSystray.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 tmpfiles.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.21.21.16:443 tmpfiles.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.21.21.16:443 tmpfiles.org tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 92.123.142.59:80 crl.microsoft.com tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp

Files

C:\Users\Admin\AppData\Local\Temp\notepad.exe

MD5 5dc898e0f4a504cf08b3bf1121108cfd
SHA1 ebccf6c07546640bcd6db32d99cf3e1a30a415c9
SHA256 14cd22fbf91e4e47cd635359460b65f57ebc39b68956db35b55090890b4a2dcf
SHA512 a0ef35d1f21ef2703c27946a57830db25b6ad7f8d01d4439021887f82198d07a4f62417c99590deb29d0c9ea4028d84f72ee37955653f63f57dfe37c90b0db02

memory/2344-7-0x0000000000D20000-0x00000000014D4000-memory.dmp

memory/2344-14-0x000007FEF2D40000-0x000007FEF38C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e6acf542-692a-4eeb-8143-80ce8cd764ce\AgileDotNetRT64.dll

MD5 05b012457488a95a05d0541e0470d392
SHA1 74f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA256 1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA512 6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

memory/2344-16-0x000007FEF2D40000-0x000007FEF38C4000-memory.dmp

memory/2344-24-0x000007FEF4F30000-0x000007FEF505C000-memory.dmp

C:\Users\Public\OneDrive.exe

MD5 f73513e6c124d9749dfd123151e6db5f
SHA1 4779c67fd22ca94d8e6493d2ff4926c420a6660d
SHA256 1b6126e0c126c7bf6c89a8930e0ae65d09bb8bb6f1a5561e8c7108120ebdd0e0
SHA512 7ffa503e5259c3273c64078ee0f7911e037f0a10629078d2ff269ae5db1eab528138c4d02dd06e0668521bc75a8e2a99e5df50002098be9f0dc47b87c0cae7b5

C:\Users\Public\Runtime Broker.exe

MD5 91d837ae278e58ffae9b9cecb989127b
SHA1 5d95e758e763ac6390abd58e4e53238c6bb4c7a5
SHA256 348d4b3310a62ffa0313285c4e7903d8757b6aa904b8614443a6ac966b4c392a
SHA512 b645023240e0cb4029058c235031fed22fed79b93db324c6c385eb02291b3fe1d053585e6372e0f0b96265ff432b8f574d4e0a8c99edfd22069e417375c3870f

C:\Users\Public\WmiPrvSE.exe

MD5 669b9254354d91b88d1e2ed0a819ad3a
SHA1 aba685e5c4661bcf3b41b26ff7948c785b57a95e
SHA256 3e96447e464c59ec274c7cba90ec8e88814273fcdec782ed896949f476c592e4
SHA512 e9b268d92737e999d8e5297f6eb4038962d7bc610285dc746dd9d01ebaa1b9789eada1e131ed345a06fb6b608a73c34e7cfebc4797a9f34bdd304f23457ae0a4

C:\Users\Public\svhost.exe

MD5 407deed69dbb3dc1aa3e9fc1befdc54c
SHA1 aa58d9656c172cdd23512dfaf14d202fb447ecf9
SHA256 3c226cbe5a0e25ca489394ce37951eabb65ae0a86151d16d145fb63df2933128
SHA512 45c6b2b9280e288517c8233cb2b90e49f214e354f6056cf7dd163e382c14b82508eaa6590166ffdcd265f2e3a3c612a25bd5166eafef825b896f53ede621b2da

C:\Users\Public\SecurityHealthSystray.exe

MD5 ffe034d7354384175a0c41efe19cb7df
SHA1 9601ec9a836547f21b39acc43b48fa5258863551
SHA256 b3a04200c5bdc579d24c279e04c31db6f623177b629ea1086cb64362417ac910
SHA512 e782dece3f1b9fa572f0efb587fdbbee6657c8f089656626c27d1ad032854aabec09eb35e63c91b53f061a44b2a595832ad2d8e01760a7d1df6e09157b3daa92

memory/2568-51-0x0000000000970000-0x0000000000986000-memory.dmp

memory/2720-38-0x00000000011E0000-0x000000000120C000-memory.dmp

memory/2344-56-0x000007FEF2D40000-0x000007FEF38C4000-memory.dmp

memory/2508-54-0x0000000000A00000-0x0000000000A44000-memory.dmp

memory/2528-55-0x0000000000210000-0x0000000000234000-memory.dmp

memory/2756-49-0x0000000000870000-0x0000000000886000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ecda1a56cb9995f8b105f10ab219f0da
SHA1 f14408570e2d3076a2b7ab543e01609cb3a70068
SHA256 aca3c0516a1e189177874b727ee285b7d796a5b0055cad57e73013aafae46f0e
SHA512 803998858414b43686041d357f109029df14e6f93b8d05f10caea4cd88f63a0071b33d452848e3e86ef9d3f049ae930c2d1bcea9b648377344ae0802aca8a5f0

memory/1388-80-0x00000000029E0000-0x00000000029E8000-memory.dmp

memory/1388-79-0x000000001B550000-0x000000001B832000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3024-94-0x0000000002390000-0x0000000002398000-memory.dmp

memory/3024-93-0x000000001B740000-0x000000001BA22000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk

MD5 773692c4d88cc2d3498d6e72dfb9e83f
SHA1 930c889933b19556c3ba9dcc31c0eac8d1dc45ea
SHA256 347edf31bdac8e3439de757b605285476808fa49a963828fe54508b13a2a3ca7
SHA512 0344fa4ee0a34b02ff9ec9dc1eb4b80665172fd5875f803ca38ccb709d48143afa412ac0c605371d2117e738677de6d5efbf74a6fa9a08fab05734e9926e3a58

memory/3056-188-0x0000000001390000-0x00000000013A6000-memory.dmp

memory/2348-191-0x0000000000230000-0x0000000000274000-memory.dmp

memory/844-199-0x0000000001030000-0x0000000001074000-memory.dmp

memory/1776-201-0x0000000000140000-0x0000000000156000-memory.dmp

memory/1560-204-0x0000000000990000-0x00000000009A6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-24 18:54

Reported

2024-08-24 18:57

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\downloader11.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Public\svhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Public\SecurityHealthSystray.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Public\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Public\OneDrive.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Public\Runtime Broker.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Public\svhost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Public\OneDrive.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Public\svhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Public\OneDrive.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Public\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk C:\Users\Public\WmiPrvSE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk C:\Users\Public\SecurityHealthSystray.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk C:\Users\Public\WmiPrvSE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk C:\Users\Public\SecurityHealthSystray.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe" C:\Users\Public\SecurityHealthSystray.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Runtime Broker.exe" C:\Users\Public\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" C:\Users\Public\svhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe" C:\Users\Public\Runtime Broker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Users\\Public\\WmiPrvSE.exe" C:\Users\Public\WmiPrvSE.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\OneDrive.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\SecurityHealthSystray.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\SecurityHealthSystray.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\OneDrive.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SecurityHealthSystray.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SecurityHealthSystray.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SecurityHealthSystray.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\WmiPrvSE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\notepad.exe
PID 1632 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\notepad.exe
PID 3124 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\OneDrive.exe
PID 3124 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\OneDrive.exe
PID 3124 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\Runtime Broker.exe
PID 3124 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\Runtime Broker.exe
PID 3124 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\svhost.exe
PID 3124 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\svhost.exe
PID 3124 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\WmiPrvSE.exe
PID 3124 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\WmiPrvSE.exe
PID 3124 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\SecurityHealthSystray.exe
PID 3124 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe C:\Users\Public\SecurityHealthSystray.exe
PID 2828 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\downloader11.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 4012 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 4012 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 8 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 8 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2020 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2020 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 2440 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 2440 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 3672 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 3672 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 3896 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 3896 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4036 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4036 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 2096 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 2096 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 3612 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 3612 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 2388 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 2388 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 2072 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 2072 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2076 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2076 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 4600 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 4600 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 3764 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 3764 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 3464 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 3464 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 772 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 772 N/A C:\Users\Public\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4508 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4508 N/A C:\Users\Public\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 4132 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 4132 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 2104 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 2104 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 4032 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 4032 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 2284 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\schtasks.exe
PID 3080 wrote to memory of 2284 N/A C:\Users\Public\WmiPrvSE.exe C:\Windows\System32\schtasks.exe
PID 536 wrote to memory of 3492 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\schtasks.exe
PID 536 wrote to memory of 3492 N/A C:\Users\Public\SecurityHealthSystray.exe C:\Windows\System32\schtasks.exe
PID 3880 wrote to memory of 2880 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\schtasks.exe
PID 3880 wrote to memory of 2880 N/A C:\Users\Public\OneDrive.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\downloader11.exe

"C:\Users\Admin\AppData\Local\Temp\downloader11.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""

C:\Users\Admin\AppData\Local\Temp\notepad.exe

"C:\Users\Admin\AppData\Local\Temp\notepad.exe"

C:\Users\Public\OneDrive.exe

"C:\Users\Public\OneDrive.exe"

C:\Users\Public\Runtime Broker.exe

"C:\Users\Public\Runtime Broker.exe"

C:\Users\Public\svhost.exe

"C:\Users\Public\svhost.exe"

C:\Users\Public\WmiPrvSE.exe

"C:\Users\Public\WmiPrvSE.exe"

C:\Users\Public\SecurityHealthSystray.exe

"C:\Users\Public\SecurityHealthSystray.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\OneDrive.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\SecurityHealthSystray.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Public\WmiPrvSE.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"

C:\ProgramData\SecurityHealthSystray.exe

C:\ProgramData\SecurityHealthSystray.exe

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

C:\ProgramData\Runtime Broker.exe

"C:\ProgramData\Runtime Broker.exe"

C:\Users\Public\WmiPrvSE.exe

C:\Users\Public\WmiPrvSE.exe

C:\ProgramData\SecurityHealthSystray.exe

C:\ProgramData\SecurityHealthSystray.exe

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

C:\ProgramData\Runtime Broker.exe

"C:\ProgramData\Runtime Broker.exe"

C:\Users\Public\WmiPrvSE.exe

C:\Users\Public\WmiPrvSE.exe

C:\ProgramData\SecurityHealthSystray.exe

C:\ProgramData\SecurityHealthSystray.exe

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

C:\ProgramData\Runtime Broker.exe

"C:\ProgramData\Runtime Broker.exe"

C:\Users\Public\WmiPrvSE.exe

C:\Users\Public\WmiPrvSE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 tmpfiles.org udp
US 104.21.21.16:443 tmpfiles.org tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 16.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 104.21.21.16:443 tmpfiles.org tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp
ES 83.38.19.195:1603 tcp

Files

C:\Users\Admin\AppData\Local\Temp\redline.exe

MD5 307dca9c775906b8de45869cabe98fcd
SHA1 2b80c3a2fd4a235b2cc9f89315a554d0721c0dd1
SHA256 8437bd0ef46a19c9a7c294c53e0429b40e76ebbd5fe9fd73a9025752495ddb1c
SHA512 80c03f7add3a33a5df7b1f1665253283550dac484d26339ecd85672fb506dce44bd0bf96275d5c41a2e7369c3b604de377b7f5985d7d0d76c7ac663d60a67a1c

C:\Users\Admin\AppData\Local\Temp\notepad.exe

MD5 5dc898e0f4a504cf08b3bf1121108cfd
SHA1 ebccf6c07546640bcd6db32d99cf3e1a30a415c9
SHA256 14cd22fbf91e4e47cd635359460b65f57ebc39b68956db35b55090890b4a2dcf
SHA512 a0ef35d1f21ef2703c27946a57830db25b6ad7f8d01d4439021887f82198d07a4f62417c99590deb29d0c9ea4028d84f72ee37955653f63f57dfe37c90b0db02

memory/3124-8-0x0000000000250000-0x0000000000A04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e6acf542-692a-4eeb-8143-80ce8cd764ce\AgileDotNetRT64.dll

MD5 05b012457488a95a05d0541e0470d392
SHA1 74f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA256 1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA512 6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

memory/3124-15-0x00007FFF9AC40000-0x00007FFF9B7C4000-memory.dmp

memory/3124-17-0x00007FFF9AC40000-0x00007FFF9B7C4000-memory.dmp

memory/3124-18-0x00007FFF9C670000-0x00007FFF9C7BE000-memory.dmp

C:\Users\Public\OneDrive.exe

MD5 f73513e6c124d9749dfd123151e6db5f
SHA1 4779c67fd22ca94d8e6493d2ff4926c420a6660d
SHA256 1b6126e0c126c7bf6c89a8930e0ae65d09bb8bb6f1a5561e8c7108120ebdd0e0
SHA512 7ffa503e5259c3273c64078ee0f7911e037f0a10629078d2ff269ae5db1eab528138c4d02dd06e0668521bc75a8e2a99e5df50002098be9f0dc47b87c0cae7b5

C:\Users\Public\Runtime Broker.exe

MD5 91d837ae278e58ffae9b9cecb989127b
SHA1 5d95e758e763ac6390abd58e4e53238c6bb4c7a5
SHA256 348d4b3310a62ffa0313285c4e7903d8757b6aa904b8614443a6ac966b4c392a
SHA512 b645023240e0cb4029058c235031fed22fed79b93db324c6c385eb02291b3fe1d053585e6372e0f0b96265ff432b8f574d4e0a8c99edfd22069e417375c3870f

C:\Users\Public\svhost.exe

MD5 407deed69dbb3dc1aa3e9fc1befdc54c
SHA1 aa58d9656c172cdd23512dfaf14d202fb447ecf9
SHA256 3c226cbe5a0e25ca489394ce37951eabb65ae0a86151d16d145fb63df2933128
SHA512 45c6b2b9280e288517c8233cb2b90e49f214e354f6056cf7dd163e382c14b82508eaa6590166ffdcd265f2e3a3c612a25bd5166eafef825b896f53ede621b2da

memory/3880-49-0x0000000000790000-0x00000000007BC000-memory.dmp

C:\Users\Public\WmiPrvSE.exe

MD5 669b9254354d91b88d1e2ed0a819ad3a
SHA1 aba685e5c4661bcf3b41b26ff7948c785b57a95e
SHA256 3e96447e464c59ec274c7cba90ec8e88814273fcdec782ed896949f476c592e4
SHA512 e9b268d92737e999d8e5297f6eb4038962d7bc610285dc746dd9d01ebaa1b9789eada1e131ed345a06fb6b608a73c34e7cfebc4797a9f34bdd304f23457ae0a4

memory/1412-65-0x0000000000800000-0x0000000000816000-memory.dmp

C:\Users\Public\SecurityHealthSystray.exe

MD5 ffe034d7354384175a0c41efe19cb7df
SHA1 9601ec9a836547f21b39acc43b48fa5258863551
SHA256 b3a04200c5bdc579d24c279e04c31db6f623177b629ea1086cb64362417ac910
SHA512 e782dece3f1b9fa572f0efb587fdbbee6657c8f089656626c27d1ad032854aabec09eb35e63c91b53f061a44b2a595832ad2d8e01760a7d1df6e09157b3daa92

memory/4424-76-0x0000000000A30000-0x0000000000A46000-memory.dmp

memory/3124-81-0x00007FFF9AC40000-0x00007FFF9B7C4000-memory.dmp

memory/536-80-0x00000000001B0000-0x00000000001F4000-memory.dmp

memory/3080-79-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_04krvgey.ove.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4012-94-0x0000019EEE930000-0x0000019EEE952000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5cfe303e798d1cc6c1dab341e7265c15
SHA1 cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256 c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512 ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2d06ce10e4e5b9e174b5ebbdad300fad
SHA1 bcc1c231e22238cef02ae25331320060ada2f131
SHA256 87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c
SHA512 38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c740b7699e2363ac4ecdf496520ca35
SHA1 aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256 be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA512 8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef647504cf229a16d02de14a16241b90
SHA1 81480caca469857eb93c75d494828b81e124fda0
SHA256 47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710
SHA512 a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 842eee3dc3a0924d1a287bd0d761c532
SHA1 012d688d98698bfcee7178da3e43882455d86874
SHA256 f278a3e84b8aaeae28dcd82e03ee55949dc71ed18da44fd18b217b2ad74de5f9
SHA512 9d5919123bfa90a777b3c267dd8d751d0b31b0dd77b442abcf9c7ca44f3b4c0387d5bb5342b5c1a3a7823435ca1089de3758ef9caf14454993b9eb548bac5c0e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96e3b86880fedd5afc001d108732a3e5
SHA1 8fc17b39d744a9590a6d5897012da5e6757439a3
SHA256 c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512 909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbb22d95851b93abf2afe8fb96a8e544
SHA1 920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256 e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA512 16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 465286a9b31a4fa4831f9d3a2925c88e
SHA1 4ba832802f83872ff47a59ace1057bceb38a1955
SHA256 24522f12ccd8284ed705803f2c1a3b12ba7d675d300fed443ca9eb55fead55fb
SHA512 84e4d5f00257670fea86e4397f3b814174609daf24488a82c4ce726f81b5891561a8c56d4053c76a8bc27318685d482dae5e15ba28c1cd14049c15bd552f95f5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 65a68df1062af34622552c4f644a5708
SHA1 6f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256 718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA512 4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a0029556e3dc9eb984c44114efbd8c3c
SHA1 cfb4b2a6e7ff280d4105932025c59288b8fd9e78
SHA256 7165399596ee49a876b216ee285a2bdbe44ee4e92cb8a42fad6959699f74062d
SHA512 0ad0375e0fc0f7e50c29bd6099d84819c4a7a7032203d96e01d3544ae6258c510bcce06c11aa672c42707194eed52101083995da38538ddde85d33062cd71741

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk

MD5 6cae93213a37ee0703c0a0d1dd311d5a
SHA1 1f0cce35b6c0ebc94edc09cdc52ee74f995b68a2
SHA256 4db5eceecde1bc0412e53037786ac98c6b5ca8c6c6a746b6466eef219436b306
SHA512 f413564ab0a2a584c70c022149eafd336ab7586d9de34469720eea0a86549a65290ffa9307ef037f79702a8ce541ebbffcac272d2dfd6c5bc47b1b57ae0370c0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1