gurcu | acd88b193946ae308f578a08a3426bf6d162f6af6f01401ba264b01e732bbddc

Analysis

max time kernel
377s
max time network
363s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 17:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

svchost.exe
Size

90KB
MD5

8f535a06fc7c41dcef821b0459066961
SHA1

279430ac0656ca0863aea9e02e47bd1988fa63c1
SHA256

acd88b193946ae308f578a08a3426bf6d162f6af6f01401ba264b01e732bbddc
SHA512

0ffe370fe384b4a7dc3b8003f7d9e7a5901bb9cf7d3524852db3dbad3b8dc0f3ec3de9a0787db72d79c2ded1166e8ea3b8772e0841e776793ecc2996b3aa729f
SSDEEP

1536:2BveucywHzpDOGugyUGlFCxdGqPKlbuQbcfhE50T6UiLlOBDf1vJJF82jik:kvcySpDImxalbuVhE9lOVf1vbh

Score

10^/10

gurcu xworm evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

147.185.221.22:46682

127.0.0.1:46682

Attributes

Install_directory
%Temp%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7460424057:AAFqb7sl9YoUjtnfCXABy_ETYSrIdrvDNo8/sendMessage?chat_id=7309152263

Extracted

Family

gurcu

https://api.telegram.org/bot7460424057:AAFqb7sl9YoUjtnfCXABy_ETYSrIdrvDNo8/sendMessage?chat_id=7309152263

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2968-1-0x0000000000350000-0x000000000036C000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

mlphvz.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, mandela.exe"	mlphvz.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

mlphvz.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mlphvz.exe
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mlphvz.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4840	powershell.exe
4452	powershell.exe
3612	powershell.exe
4388	powershell.exe
1984	powershell.exe
668	powershell.exe
3296	powershell.exe
4128	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exemlphvz.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	mlphvz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

mlphvz.exe

pid process

1288 mlphvz.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mlphvz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mlphvz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mlphvz.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

64 ip-api.com
18 ip-api.com
Drops file in Windows directory 2 IoCs

Processes:

mlphvz.exe

description ioc process

File created C:\Windows\mandela.exe mlphvz.exe
File opened for modification C:\Windows\mandela.exe mlphvz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2012 taskkill.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3724 schtasks.exe
3228 schtasks.exe

flow	ioc
64	ip-api.com
18	ip-api.com

description	ioc	process
File created	C:\Windows\mandela.exe	mlphvz.exe
File opened for modification	C:\Windows\mandela.exe	mlphvz.exe

pid	process
2012	taskkill.exe

pid	process
3724	schtasks.exe
3228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exemlphvz.exe

pid	process
1984	powershell.exe
1984	powershell.exe
668	powershell.exe
668	powershell.exe
3296	powershell.exe
3296	powershell.exe
4128	powershell.exe
4128	powershell.exe
2968	svchost.exe
4840	powershell.exe
4840	powershell.exe
4452	powershell.exe
4452	powershell.exe
3612	powershell.exe
3612	powershell.exe
4388	powershell.exe
4388	powershell.exe
3000	svchost.exe
1288	mlphvz.exe
1288	mlphvz.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mlphvz.exe

pid process

1288 mlphvz.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svchost.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exemlphvz.exeAUDIODG.EXEtaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2968	svchost.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	2968	svchost.exe
Token: SeDebugPrivilege	1420	svchost.exe
Token: SeDebugPrivilege	3768	svchost.exe
Token: SeDebugPrivilege	2368	svchost.exe
Token: SeDebugPrivilege	440	svchost.exe
Token: SeDebugPrivilege	3000	svchost.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	3000	svchost.exe
Token: SeDebugPrivilege	1288	mlphvz.exe
Token: SeTakeOwnershipPrivilege	1288	mlphvz.exe
Token: SeTakeOwnershipPrivilege	1288	mlphvz.exe
Token: 33	2968	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2968	AUDIODG.EXE
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeShutdownPrivilege	1288	mlphvz.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

mlphvz.exe

pid process

1288 mlphvz.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

mlphvz.exe

pid	process
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe
1288	mlphvz.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2968 svchost.exe
3000 svchost.exe

pid	process
2968	svchost.exe
3000	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

svchost.exesvchost.exemlphvz.execmd.exe

description	pid	process	target process
PID 2968 wrote to memory of 1984	2968	svchost.exe	powershell.exe
PID 2968 wrote to memory of 1984	2968	svchost.exe	powershell.exe
PID 2968 wrote to memory of 668	2968	svchost.exe	powershell.exe
PID 2968 wrote to memory of 668	2968	svchost.exe	powershell.exe
PID 2968 wrote to memory of 3296	2968	svchost.exe	powershell.exe
PID 2968 wrote to memory of 3296	2968	svchost.exe	powershell.exe
PID 2968 wrote to memory of 4128	2968	svchost.exe	powershell.exe
PID 2968 wrote to memory of 4128	2968	svchost.exe	powershell.exe
PID 2968 wrote to memory of 3724	2968	svchost.exe	schtasks.exe
PID 2968 wrote to memory of 3724	2968	svchost.exe	schtasks.exe
PID 2968 wrote to memory of 1288	2968	svchost.exe	mlphvz.exe
PID 2968 wrote to memory of 1288	2968	svchost.exe	mlphvz.exe
PID 3000 wrote to memory of 4840	3000	svchost.exe	powershell.exe
PID 3000 wrote to memory of 4840	3000	svchost.exe	powershell.exe
PID 3000 wrote to memory of 4452	3000	svchost.exe	powershell.exe
PID 3000 wrote to memory of 4452	3000	svchost.exe	powershell.exe
PID 3000 wrote to memory of 3612	3000	svchost.exe	powershell.exe
PID 3000 wrote to memory of 3612	3000	svchost.exe	powershell.exe
PID 3000 wrote to memory of 4388	3000	svchost.exe	powershell.exe
PID 3000 wrote to memory of 4388	3000	svchost.exe	powershell.exe
PID 3000 wrote to memory of 3228	3000	svchost.exe	schtasks.exe
PID 3000 wrote to memory of 3228	3000	svchost.exe	schtasks.exe
PID 1288 wrote to memory of 4308	1288	mlphvz.exe	cmd.exe
PID 1288 wrote to memory of 4308	1288	mlphvz.exe	cmd.exe
PID 4308 wrote to memory of 2012	4308	cmd.exe	taskkill.exe
PID 4308 wrote to memory of 2012	4308	cmd.exe	taskkill.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

mlphvz.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1"	mlphvz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mlphvz.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3724
- C:\Users\Admin\AppData\Local\Temp\mlphvz.exe
  "C:\Users\Admin\AppData\Local\Temp\mlphvz.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k taskkill /f /im explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2012

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3228

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x244
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2fd8a3401463df33cba7164af13a2cd8

SHA1
5383ba7f4948e6e129d67bdcdc709c5e94559efb

SHA256
664ec49cb64ead15f67a6fe42796317918594d05e97e4be9b610deb60893f5f6

SHA512
0a578b37761d732b161479262359f6d2c5f9cc2daaff48b507d7d2c7af4a7e750f1ef38483531a09dfd51f000484c6507c0f2be068d46656db827cc47a481096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1400b7208465e875d44190b9b465fcfb

SHA1
ffd77f7fe78207e5a862b4f536d902019a155e26

SHA256
4fc3a908a25bf9861afb2ec7b3f854fadd986ac281b134cb4e89e46ba6aed0c5

SHA512
57596642a72347985ae9dda5a9e8d01a5c6cbeb5fac227d69fa1fbf38ae867ea4f434f9aec8b990ca397295886ce503abad49efed2f6ea7fdd6bf5d803bf1f38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
76692775e4781f0c9f0092f5804cfdb1

SHA1
6740e4e4110028c62282ee1e7eb8be576a2bc23a

SHA256
0c451ff3823450d544066237cbfb08556b7ca36c4a0ea085055f69ab35795b00

SHA512
6e0731e3736594d9e86da2fc33e08a663f29100074cc8d46e2716123c946b9eb150c804c7cf8428cac631e1cff984663d41ce3b5e1e77965bd8e2ecf0742af34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2524e72b0573fa94e9cb8089728a4b47

SHA1
3d5c4dfd6e7632153e687ee866f8ecc70730a0f1

SHA256
fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747

SHA512
99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnvda2bc.t5b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlphvz.exe

Filesize
32.7MB

MD5
142aa3c7c549cba374dec10c6f2edab4

SHA1
4272f7505356a1962538bcb0b622f28b358ee1b4

SHA256
69b1ee6ad2aab9f2b08209762bc41636d72c93bf6463bbb9110451e3c284c99d

SHA512
a601d5e8a7a1ba8fe7b11b677057b5ac496125d70297ffc1504f7339910e6f5a48920b0fad0cd7afd384f44d4a7b441b118e2cdbdf826d83aa609d686d7e3038

Download Submit
memory/1288-66-0x0000000000FF0000-0x00000000030AC000-memory.dmp

Filesize
32.7MB

Download
memory/1288-67-0x000000001DC80000-0x000000001DC8C000-memory.dmp

Filesize
48KB

Download
memory/1288-68-0x000000001DCA0000-0x000000001DCA8000-memory.dmp

Filesize
32KB

Download
memory/1288-69-0x000000001DCC0000-0x000000001DCD4000-memory.dmp

Filesize
80KB

Download
memory/1288-70-0x000000001DDE0000-0x000000001DE38000-memory.dmp

Filesize
352KB

Download
memory/1984-17-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/1984-14-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/1984-13-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/1984-12-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/1984-11-0x000001D6EC390000-0x000001D6EC3B2000-memory.dmp

Filesize
136KB

Download
memory/2968-54-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2968-1-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2968-0-0x00007FF8A7AD3000-0x00007FF8A7AD5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads