Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-03-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
XClient.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XClient.rar
Resource
win10v2004-20240226-en
General
-
Target
XClient.rar
-
Size
40KB
-
MD5
f6fe2b78efab65e5ed501ee5f2f9d556
-
SHA1
36add79d625076f8341be0ac6161666a63144425
-
SHA256
22adaea01c871a2dcc4dac36e4590ba5418ff0c487a8583eeda00d852b763647
-
SHA512
eae214be1ea131f5aeff1ffce9852b38f2320d5367020ceb39de1abde3ad6f002e7d4ab4eb3bf12a3d4d45fdd052dd25bbbfa6c63a499ea664a3628c2af350e2
-
SSDEEP
768:gXC6/UZqhWl5z0NAVH9QQzgVX/sjrCX2FQuz3n2sH994XiRqyrtVWEN91zvZBm:gXirKAVH9XgB1X2Fp2sdSgTZYEN9g
Malware Config
Extracted
xworm
discussion-wanted.gl.at.ply.gg:5861
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe family_xworm behavioral1/memory/2632-35-0x00000000001F0000-0x0000000000208000-memory.dmp family_xworm behavioral1/memory/1728-67-0x0000000000300000-0x0000000000318000-memory.dmp family_xworm -
Detect ZGRat V1 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe family_zgrat_v1 C:\Blockperf\BlockDhcp.exe family_zgrat_v1 \Blockperf\BlockDhcp.exe family_zgrat_v1 C:\Blockperf\BlockDhcp.exe family_zgrat_v1 \Blockperf\BlockDhcp.exe family_zgrat_v1 behavioral1/memory/2024-208-0x0000000000E60000-0x0000000001046000-memory.dmp family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
BlockDhcp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\", \"C:\\Recovery\\53c2ef02-d124-11ee-be41-9f00cc481deb\\csrss.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\", \"C:\\Recovery\\53c2ef02-d124-11ee-be41-9f00cc481deb\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\tracing\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\", \"C:\\Recovery\\53c2ef02-d124-11ee-be41-9f00cc481deb\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Blockperf\\BlockDhcp.exe\"" BlockDhcp.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2472 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2472 schtasks.exe -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2632-304-0x000000001D8E0000-0x000000001D9FE000-memory.dmp family_stormkitty -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
XClient.exeO1QN21UTV33PR7N.exeBlockDhcp.execsrss.exepid process 2632 XClient.exe 1556 O1QN21UTV33PR7N.exe 2024 BlockDhcp.exe 2940 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2216 cmd.exe 2216 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
BlockDhcp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\tracing\\lsm.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\BlockDhcp = "\"C:\\Blockperf\\BlockDhcp.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\tracing\\lsm.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\cmd.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\53c2ef02-d124-11ee-be41-9f00cc481deb\\csrss.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\53c2ef02-d124-11ee-be41-9f00cc481deb\\csrss.exe\"" BlockDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BlockDhcp = "\"C:\\Blockperf\\BlockDhcp.exe\"" BlockDhcp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Drops file in System32 directory 2 IoCs
Processes:
csc.exedescription ioc process File created \??\c:\Windows\System32\annrns.exe csc.exe File created \??\c:\Windows\System32\CSCAE0E7A127EB44DC3857F28A972F19EAC.TMP csc.exe -
Drops file in Program Files directory 5 IoCs
Processes:
BlockDhcp.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72 BlockDhcp.exe File created C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe BlockDhcp.exe File created C:\Program Files\Common Files\Microsoft Shared\VC\ebf1f9fa8afd6d BlockDhcp.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe BlockDhcp.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe BlockDhcp.exe -
Drops file in Windows directory 2 IoCs
Processes:
BlockDhcp.exedescription ioc process File created C:\Windows\tracing\lsm.exe BlockDhcp.exe File created C:\Windows\tracing\101b941d020240 BlockDhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2640 schtasks.exe 1640 schtasks.exe 640 schtasks.exe 3020 schtasks.exe 2960 schtasks.exe 2556 schtasks.exe 2740 schtasks.exe 1688 schtasks.exe 2768 schtasks.exe 1752 schtasks.exe 2756 schtasks.exe 836 schtasks.exe 1804 schtasks.exe 1724 schtasks.exe 1748 schtasks.exe 2044 schtasks.exe 1472 schtasks.exe 2880 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Processes:
XClient.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 XClient.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e XClient.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e XClient.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exeXClient.exeBlockDhcp.exepid process 2888 powershell.exe 592 powershell.exe 2632 XClient.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe 2024 BlockDhcp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2136 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
7zFM.exeXClient.exepowershell.exepowershell.exeXClient.exeXClient.exeBlockDhcp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exedescription pid process Token: SeRestorePrivilege 2136 7zFM.exe Token: 35 2136 7zFM.exe Token: SeSecurityPrivilege 2136 7zFM.exe Token: SeDebugPrivilege 2632 XClient.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 592 powershell.exe Token: SeDebugPrivilege 2632 XClient.exe Token: SeSecurityPrivilege 2136 7zFM.exe Token: SeDebugPrivilege 1728 XClient.exe Token: SeDebugPrivilege 1684 XClient.exe Token: SeDebugPrivilege 2024 BlockDhcp.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 620 powershell.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 2940 csrss.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
7zFM.exechrome.exepid process 2136 7zFM.exe 2136 7zFM.exe 2136 7zFM.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 2632 XClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exe7zFM.exeXClient.exeO1QN21UTV33PR7N.exeWScript.execmd.exeBlockDhcp.execsc.execmd.exedescription pid process target process PID 2200 wrote to memory of 2136 2200 cmd.exe 7zFM.exe PID 2200 wrote to memory of 2136 2200 cmd.exe 7zFM.exe PID 2200 wrote to memory of 2136 2200 cmd.exe 7zFM.exe PID 2136 wrote to memory of 2632 2136 7zFM.exe XClient.exe PID 2136 wrote to memory of 2632 2136 7zFM.exe XClient.exe PID 2136 wrote to memory of 2632 2136 7zFM.exe XClient.exe PID 2632 wrote to memory of 2888 2632 XClient.exe powershell.exe PID 2632 wrote to memory of 2888 2632 XClient.exe powershell.exe PID 2632 wrote to memory of 2888 2632 XClient.exe powershell.exe PID 2632 wrote to memory of 592 2632 XClient.exe powershell.exe PID 2632 wrote to memory of 592 2632 XClient.exe powershell.exe PID 2632 wrote to memory of 592 2632 XClient.exe powershell.exe PID 2632 wrote to memory of 1556 2632 XClient.exe O1QN21UTV33PR7N.exe PID 2632 wrote to memory of 1556 2632 XClient.exe O1QN21UTV33PR7N.exe PID 2632 wrote to memory of 1556 2632 XClient.exe O1QN21UTV33PR7N.exe PID 2632 wrote to memory of 1556 2632 XClient.exe O1QN21UTV33PR7N.exe PID 1556 wrote to memory of 1988 1556 O1QN21UTV33PR7N.exe WScript.exe PID 1556 wrote to memory of 1988 1556 O1QN21UTV33PR7N.exe WScript.exe PID 1556 wrote to memory of 1988 1556 O1QN21UTV33PR7N.exe WScript.exe PID 1556 wrote to memory of 1988 1556 O1QN21UTV33PR7N.exe WScript.exe PID 1988 wrote to memory of 2216 1988 WScript.exe cmd.exe PID 1988 wrote to memory of 2216 1988 WScript.exe cmd.exe PID 1988 wrote to memory of 2216 1988 WScript.exe cmd.exe PID 1988 wrote to memory of 2216 1988 WScript.exe cmd.exe PID 2216 wrote to memory of 2024 2216 cmd.exe BlockDhcp.exe PID 2216 wrote to memory of 2024 2216 cmd.exe BlockDhcp.exe PID 2216 wrote to memory of 2024 2216 cmd.exe BlockDhcp.exe PID 2216 wrote to memory of 2024 2216 cmd.exe BlockDhcp.exe PID 2024 wrote to memory of 672 2024 BlockDhcp.exe csc.exe PID 2024 wrote to memory of 672 2024 BlockDhcp.exe csc.exe PID 2024 wrote to memory of 672 2024 BlockDhcp.exe csc.exe PID 672 wrote to memory of 1096 672 csc.exe cvtres.exe PID 672 wrote to memory of 1096 672 csc.exe cvtres.exe PID 672 wrote to memory of 1096 672 csc.exe cvtres.exe PID 2024 wrote to memory of 620 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 620 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 620 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1680 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1680 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1680 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1544 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1544 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1544 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1572 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1572 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1572 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1156 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1156 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1156 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 2028 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 2028 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 2028 2024 BlockDhcp.exe powershell.exe PID 2024 wrote to memory of 1984 2024 BlockDhcp.exe cmd.exe PID 2024 wrote to memory of 1984 2024 BlockDhcp.exe cmd.exe PID 2024 wrote to memory of 1984 2024 BlockDhcp.exe cmd.exe PID 1984 wrote to memory of 2292 1984 cmd.exe chcp.com PID 1984 wrote to memory of 2292 1984 cmd.exe chcp.com PID 1984 wrote to memory of 2292 1984 cmd.exe chcp.com PID 1984 wrote to memory of 1288 1984 cmd.exe w32tm.exe PID 1984 wrote to memory of 1288 1984 cmd.exe w32tm.exe PID 1984 wrote to memory of 1288 1984 cmd.exe w32tm.exe PID 1984 wrote to memory of 2940 1984 cmd.exe csrss.exe PID 1984 wrote to memory of 2940 1984 cmd.exe csrss.exe PID 1984 wrote to memory of 2940 1984 cmd.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\XClient.rar1⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XClient.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe"C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO85839176\XClient.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe"C:\Users\Admin\AppData\Local\Temp\O1QN21UTV33PR7N.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Blockperf\SsxsOgj7UItOyP.vbe"5⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Blockperf\W03a7eRByVe59tEfoEn5p9hfLGE7liRC1WwfhocqTKwXnqoCeIu86OnqQ.bat" "6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Blockperf\BlockDhcp.exe"C:\Blockperf/BlockDhcp.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvzplhmv\qvzplhmv.cmdline"8⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41E0.tmp" "c:\Windows\System32\CSCAE0E7A127EB44DC3857F28A972F19EAC.TMP"9⤵PID:1096
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\lsm.exe'8⤵
- Suspicious use of AdjustPrivilegeToken
PID:620 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Blockperf\BlockDhcp.exe'8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5qBi1Kjer8.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2292
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1288
-
C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe"C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
C:\Users\Admin\Desktop\XClient.exe"C:\Users\Admin\Desktop\XClient.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
C:\Users\Admin\Desktop\XClient.exe"C:\Users\Admin\Desktop\XClient.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\tracing\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\53c2ef02-d124-11ee-be41-9f00cc481deb\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockDhcpB" /sc MINUTE /mo 9 /tr "'C:\Blockperf\BlockDhcp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockDhcp" /sc ONLOGON /tr "'C:\Blockperf\BlockDhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockDhcpB" /sc MINUTE /mo 10 /tr "'C:\Blockperf\BlockDhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1900 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7109758,0x7fef7109768,0x7fef71097782⤵PID:2824
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=284 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:22⤵PID:1604
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:82⤵PID:2712
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:82⤵PID:2680
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:12⤵PID:2348
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:12⤵PID:1612
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=988 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:22⤵PID:2320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3228 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:12⤵PID:2688
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3888 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:82⤵PID:2784
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3964 --field-trial-handle=1296,i,4834291519242410528,6804434702245558669,131072 /prefetch:12⤵PID:2752
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:332
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5885ad16db4188802c438079fef3e24bf
SHA18f941a38471c9ad803a5f79ada6fe88c0bcebe1b
SHA256581d9667e6d2b6fa9c5630f72a5bfe24622719ab0adce77c5ac3f207af871b5c
SHA51254e17934a19994b847070705741e3b10c4145b6e9b940a563ab0835b4975cb091afbd783e48a981abd84c1b684ea8c4abfd08a83469b2580058a1f9c1959ec55
-
Filesize
1.2MB
MD5404c42b1d69843238b60cb02900199c2
SHA13a157c1860640757fda1dd8c21bae48d23109a75
SHA256d3618dd3842ee12a3716a6b9aada892d9eaa65203710d720e77ed2a47d24d2a9
SHA512139f24cc59a1ab27f6297204b104a8f8fd2411c14bd748b5cb9b039432841be9a8be3ffd951f89006d8fe9e7ba11d78b6668e49eb2fc327f7a57347789f91f38
-
Filesize
256B
MD57bd4ae5733494fe9888a9fb6cc6212b6
SHA1155ea81b368875d5015e49b11b7ccdb9458505bd
SHA25600fafff153878b3bc60ab36aafda3d2fccbab69c728153733fcf857016c93d50
SHA512c573019171da281cf08d64dfdec1f71ba444819f1f444021543296cdb3fe8225e024895294ca0856e588d20789cd763d65ffbd4a0ba5a5ecc645bda2e0080664
-
Filesize
91B
MD51d4c24d719063e18d59f87ad8b86f7f0
SHA116e96049b02c4ac6017ea616e9419764da32feb9
SHA2561fe35093cfbf50d0d702dc90e107c1ba9834e37b6e3be78063261eb8ed7a6051
SHA5121902dec43b5e9552826d09f018b6edf78c993bc8ae96112918ab516790bc2d9c87f92769e4ebe28384f804036efa0fa7a405713226350638e5e4a6bdcaab46f3
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56e4052cbe6db7b551ef31d8f56fd83c6
SHA19e4993641b0da364348fc386faf2dcae43841854
SHA2562293aca8ea78ca2af380d3427ab3e71dd5fe12b1edf9fb3f45d4256ca83a63dc
SHA512c0307a82e11588f1d412e9932172c2816288762867c6625be301a935516a9f97e017925844913280618dbb2c2d46f62a7d73f299dc5d529dafd9a0a79eea6654
-
Filesize
197KB
MD55e28e72b443ded036a4cf369d0dda3bf
SHA10500de4480a54243b12d096745c6ba04c9479e66
SHA25615fc7a054efbb9f76d937448fbb4814d7b3f25a6d137e24c1a69e32947eae71e
SHA5127d17a5248e54e4dda8fd17a4d662edbb274629161a1e25b3b7f7f5112541663a5040788177268c53b2c78bc7e6d2204ccfb342d93c2ceec0a12d8a41788c088b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RFf7875eb.TMP
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
234B
MD507ef0bd46e1bd65ad5f0a182a6850fb5
SHA10f4506adad70eb859928f6fbf03e74e88a650d58
SHA256194804b1b7de197d1ddac34b4f59e3e4f1122a586526e90f59a4f756cd161fe4
SHA512d4874041e288c98e32968003cd7a31226b10cb1a82ca46c8c0ced79a560ffaeb892e73b18b8da1abd5d5ee814df24a5487fef2b8c9ee81ed47822ba08443e305
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
69KB
MD5c44bed88966bd546fbbad5a60a2cf70b
SHA1c731c6aa73742fcc3e331cd1442e653abedd9db3
SHA25623d941bb13cd01b74cfb124b540d3a882d61e85ab9bf675357f7f6711d95d961
SHA512ddd73dbe95fffc5b94be0710c89af50c322e57b3759554248d815b10614446f2d4d0ccbfc184076b56005745dde8da9c98ae04086effe9469b2f8ca1fb1d2067
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
2.2MB
MD5a61d423019f0f0b040c9fa740eac0b32
SHA1f17c16cf0b313eb622511ce4dfcee561c8579611
SHA256c6a3c48defac245c5a5895199196518308be9a1aaa6402ba08389eeb5671f4e1
SHA5127086e88c7b8c48a66401dc8fb6e05ac5f34365b33f982f9b69af7feef5de75f6a73e507f14d6ab463c84ea385d547ccd17f0d02f109d37b30fc30b3be4f14feb
-
Filesize
1KB
MD549df49d41c7e8d8872a7e47cc3678ef5
SHA1a126b62d949fadbac828406ccf7b08c9fe20451d
SHA256257e28324ec8d93d7be615661b6f19cd0e3b831f0cb79c15d6fbebfe22e5ef4c
SHA5122250ca7572e50953d4c20be4e0a6b8de3739e12775e55cbfd3755d4fc53b9d89ecaf38c9eb2635ba7e10c2a28a9248171495b077d6f9632f3cc301b5005f1f7e
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
92KB
MD5bd46342c69fd0683a51911e8976bf6b9
SHA117a2451a41ecaaa03e7634dfd5c534aff30d4ce4
SHA256f1467f4fb97e82cbb8490d787f2ca113f32fcc94a6d008fffb3ae7e73e5a089b
SHA51291e7f0bd5acd35b68788d077529b76a54e9bc4875129a2134bfd5ed5e27588cb43fea26a241e184d9170155c961c16bc724e00502f173351ec2df5c9e3cfb32f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD585fd7a37a2a54b631465a2a135a24a19
SHA15b3918ea55569e6553c066122ee96df0e5a0e824
SHA256725b3942b2302e545caf06d282f9519dfa3702b57d55173de31a2421ebd988bf
SHA512a48020fc7c8694fca441a07180e63b6402e1746dfadbfd2eaa6759a1422273539ee0d4aa143441627ff74ced2db900a5de8d304271a29b74a7779e2ecd1e020a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5843be6f1fc8be19b55201cda0558ea34
SHA12f2283517bf170e287f9cc8b31d2a41b1e1624f8
SHA2560ac38540bc702d2af7f144c1deb7c835857d39aba1277792c424ce7c1f239108
SHA512dc66896d7fe82e895076b07ad9be4763f665c89535b8ec7a9a7524913245afc65827b4777b08d2eb22e27c58ab7cdc9cf8411f39b23f647abe2b5faf9bf65fd5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
358B
MD58a809ccea14048c92029e0bb90cbdeee
SHA1bb4f519053accc0b2b22cb8e668117f6cea85406
SHA25637e89d4e77ce79f047b8636aa625edb34b604e8a0bcd775289050700b50e428a
SHA51285cce140f750a25fd9172d59c31a66274236a6004258f1387876d430aa3a8609d2a4f345452a828dd1fd4efb7142736a83135bec1aad5d6faec1c20d55c701a9
-
Filesize
235B
MD51d1afd7188c6764491f857e875de19c0
SHA1c20ee41f93fd460328195c79df3b00091122e677
SHA256ae311c79a1b89d97eb331f16a5bf11a3f6ab79c4850215af1c702900b67276fa
SHA51236b6476c9707ddc1bebb2dec2b5a997f7ce84ff9eea9381809104a534a26a88234193daf657ae04e0f2b367f218afd8dc3045a46cb815305fbc1ce00a90bf09c
-
Filesize
1KB
MD543a92fb26ccec8bcb0162ca5fbfbc2c7
SHA1e104771c01cfa66de953a741c7481042bb6c1129
SHA2566ee663461717602a5ed973d81549bc26967ec1e577640708b36d4b5dfda52600
SHA512be826622ccf91a1f66bcef96c21d95c375f666ee688add5fdd8b3839c5d0d50a4266fdfde8015eadb9090499511b82822e5f08478fa21be3ee453f8cef8a7b04
-
Filesize
1.8MB
MD5e8b976e2ce8a06d07770fd30bed7c634
SHA1e661038f24d7702e8ff429cf9e139e741c19391e
SHA2569df623453c6eb3ead8335e1555de3d1900250e59ae5b21056d01a327bf41858f
SHA51293df7387233cac93131cc903798aefa363c42193ab106d3f6e2100c751578958167d7ffda22fb65ae582b9f4a10a177a4396bef05fb4cc3c63dfc2b0f78bc596
-
Filesize
1.4MB
MD5039824c44f3ed63c759521f9cc343c94
SHA118735822a45f54dcb19db475851ebae83449bbe0
SHA25661cca04d87be46a90cf6660c9f98fd3504610e6260ada654502a45abe2400659
SHA5122de45a8e8cf78b77c46f3f77c37993181031941cb76b3866bfa19e5964fc7657cef7e92c4d80c3f12636a40607c5dee48e8506d46f8d988d78895dbabc651b58