Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 13:09
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
General
-
Target
XClient.exe
-
Size
216KB
-
MD5
a6d3d1061fb61a90a933acceb1af5358
-
SHA1
ea62a67f7a0726e76e3a849652672dd95868bb00
-
SHA256
370ea3e983c58ed74d3ee9ec54663ff29dba195a040d0fe56c20b7554cf18472
-
SHA512
9341af271094515df448e9ee9273e2d8a3b1101feaaeef64838c2ff908bfdc56b6afc688f117c971e1eb5adc5c8304cec936bac20ff03c23430a6e945c55637d
-
SSDEEP
3072:lBxhsxnroxM7btQ+ROU0Z5hh4DAiKeNhK1pEeGklktiVMPneSYHl:vx+nr2M7bK+YLheDAiKeNkLzblk
Malware Config
Extracted
xworm
2.tcp.eu.ngrok.io:16807
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5032-1-0x0000000000340000-0x000000000037C000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3756-164-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral2/memory/3756-166-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4952 powershell.exe 4916 powershell.exe 1432 powershell.exe 1960 powershell.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\qvixrp.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XClient.exejdxeet.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation XClient.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation jdxeet.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe -
Executes dropped EXE 7 IoCs
Processes:
jdxeet.exehui.exesvchost.exepxncxh.exekdkfjh.exesvchost.exeqvixrp.exepid process 5096 jdxeet.exe 2992 hui.exe 1128 svchost.exe 1292 pxncxh.exe 1124 kdkfjh.exe 3444 svchost.exe 3756 qvixrp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3771884193" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0C650CB9-1061-11EF-BA70-527CD1CC5F27} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff0fffffff4f00000095030000b4020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3771884193" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31106157" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5073b2e16da4da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 305abee16da4da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31106157" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002322fad14fdb874f8edc4f7e0cc1913e000000000200000000001066000000010000200000003eec180fcae58414e1e843d6577938458b1db34d55c7bf72c95449fbf834f05b000000000e8000000002000020000000f4de29ad5145fafcdc9abb42e6ff416bea163c999b067653fd7b333ed4b87cf7200000006e60e25ef77e03ea890eb6c181055da074f9b8e931b9e29ef8a41990079bdb854000000092ee79d523f1c9746491c1c9530a4498dc313452bc06a75ad5c214419ec220499d2529197bd7ac0ef9bf29d7f126febbdf9cc17a979bc9acb065f9e11b43ec33 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002322fad14fdb874f8edc4f7e0cc1913e00000000020000000000106600000001000020000000864f0ead8577483ff25c1f5e9fca19d95a4b44de1ec62915cfedbfe8cef1762e000000000e80000000020000200000000b9a2e56b86132bb01ce5950d0ecdb45230792904dad54d11408a831e8118c7d200000003bdb4d1809b7014082d7685490ce14e18d931db6239d32851088ed11cafd344f40000000bd6dd0693853f76173a03021ee714483a6528594b85a038dca9f7239f39a6415c88d09644f8cad52013ba5a943c258dbfbf47a4294849c62751274d5a439e529 iexplore.exe -
Modifies registry class 1 IoCs
Processes:
XClient.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings XClient.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1396 vlc.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 4952 powershell.exe 4952 powershell.exe 4916 powershell.exe 4916 powershell.exe 1432 powershell.exe 1432 powershell.exe 1960 powershell.exe 1960 powershell.exe 5032 XClient.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 1396 vlc.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exeAUDIODG.EXEvlc.exesvchost.exedescription pid process Token: SeDebugPrivilege 5032 XClient.exe Token: SeDebugPrivilege 4952 powershell.exe Token: SeDebugPrivilege 4916 powershell.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 5032 XClient.exe Token: SeDebugPrivilege 1128 svchost.exe Token: 33 4640 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4640 AUDIODG.EXE Token: 33 1396 vlc.exe Token: SeIncBasePriorityPrivilege 1396 vlc.exe Token: SeDebugPrivilege 3444 svchost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
iexplore.exevlc.exekdkfjh.exepid process 3100 iexplore.exe 3100 iexplore.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe 1124 kdkfjh.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe 1396 vlc.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
XClient.exeiexplore.exeIEXPLORE.EXEpxncxh.exevlc.exekdkfjh.exepid process 5032 XClient.exe 3100 iexplore.exe 3100 iexplore.exe 208 IEXPLORE.EXE 208 IEXPLORE.EXE 3100 iexplore.exe 1292 pxncxh.exe 1396 vlc.exe 1124 kdkfjh.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
XClient.exejdxeet.exeiexplore.exedescription pid process target process PID 5032 wrote to memory of 4952 5032 XClient.exe powershell.exe PID 5032 wrote to memory of 4952 5032 XClient.exe powershell.exe PID 5032 wrote to memory of 4916 5032 XClient.exe powershell.exe PID 5032 wrote to memory of 4916 5032 XClient.exe powershell.exe PID 5032 wrote to memory of 1432 5032 XClient.exe powershell.exe PID 5032 wrote to memory of 1432 5032 XClient.exe powershell.exe PID 5032 wrote to memory of 1960 5032 XClient.exe powershell.exe PID 5032 wrote to memory of 1960 5032 XClient.exe powershell.exe PID 5032 wrote to memory of 4484 5032 XClient.exe schtasks.exe PID 5032 wrote to memory of 4484 5032 XClient.exe schtasks.exe PID 5032 wrote to memory of 5096 5032 XClient.exe jdxeet.exe PID 5032 wrote to memory of 5096 5032 XClient.exe jdxeet.exe PID 5032 wrote to memory of 5096 5032 XClient.exe jdxeet.exe PID 5096 wrote to memory of 2992 5096 jdxeet.exe hui.exe PID 5096 wrote to memory of 2992 5096 jdxeet.exe hui.exe PID 5096 wrote to memory of 2992 5096 jdxeet.exe hui.exe PID 5032 wrote to memory of 3100 5032 XClient.exe iexplore.exe PID 5032 wrote to memory of 3100 5032 XClient.exe iexplore.exe PID 3100 wrote to memory of 208 3100 iexplore.exe IEXPLORE.EXE PID 3100 wrote to memory of 208 3100 iexplore.exe IEXPLORE.EXE PID 3100 wrote to memory of 208 3100 iexplore.exe IEXPLORE.EXE PID 5032 wrote to memory of 1292 5032 XClient.exe pxncxh.exe PID 5032 wrote to memory of 1292 5032 XClient.exe pxncxh.exe PID 5032 wrote to memory of 1292 5032 XClient.exe pxncxh.exe PID 5032 wrote to memory of 1396 5032 XClient.exe vlc.exe PID 5032 wrote to memory of 1396 5032 XClient.exe vlc.exe PID 5032 wrote to memory of 1124 5032 XClient.exe kdkfjh.exe PID 5032 wrote to memory of 1124 5032 XClient.exe kdkfjh.exe PID 5032 wrote to memory of 1124 5032 XClient.exe kdkfjh.exe PID 5032 wrote to memory of 3756 5032 XClient.exe qvixrp.exe PID 5032 wrote to memory of 3756 5032 XClient.exe qvixrp.exe PID 5032 wrote to memory of 3756 5032 XClient.exe qvixrp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Creates scheduled task(s)
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\jdxeet.exe"C:\Users\Admin\AppData\Local\Temp\jdxeet.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe" huy3⤵
- Executes dropped EXE
PID:2992 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\jrjhpp.gif2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3100 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:208 -
C:\Users\Admin\AppData\Local\Temp\pxncxh.exe"C:\Users\Admin\AppData\Local\Temp\pxncxh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1292 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\pleotd.mp3"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\kdkfjh.exe"C:\Users\Admin\AppData\Local\Temp\kdkfjh.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\qvixrp.exe"C:\Users\Admin\AppData\Local\Temp\qvixrp.exe"2⤵
- Executes dropped EXE
PID:3756
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc 0x5101⤵
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5fe9b96bc4e29457b2d225a5412322a52
SHA1551e29903e926b5d6c52a8f57cf10475ba790bd0
SHA256e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997
SHA512ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5fd98baf5a9c30d41317663898985593b
SHA1ea300b99f723d2429d75a6c40e0838bf60f17aad
SHA2569d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96
SHA512bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exeFilesize
5KB
MD517b935ed6066732a76bed69867702e4b
SHA123f28e3374f9d0e03d45843b28468aace138e71c
SHA256e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0
SHA512774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xui2.curFilesize
17KB
MD580fcc551fcb92f6375367606929b1ace
SHA113ad7d7c9c9da1a9cf0c0d137bc3913cbfea4752
SHA2562e2e40cf20b05f305ab13669d0169d4ac93510113b2c8ee96ac1e85069709f66
SHA512394098d308a72757d821e98d7ad43122bafdde0afaf767040b7188a87f6027d491922f705b94c1a119de6dc2254bcf59bb36c25ff318c29a7180ccfcc29a3ca8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edu1iezf.ct2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\jdxeet.exeFilesize
331KB
MD5505422c9466bc4cfe6d81572cbcab910
SHA1ff6a91880f66d5d3588a897b5e281114c73710ec
SHA2569baf1b8474b107170d63131dd8005127bb15866a11d57cd95e3ec67a89d59712
SHA5123da84fda52b1adbe2ccef090f34831a08bbfd3a7398c70e03c9dccb0ef4208992a0c32e2ecbb752c9b13e56449ce7213d50a5aec9edc1cc504b0f750b5321846
-
C:\Users\Admin\AppData\Local\Temp\jrjhpp.gifFilesize
1.8MB
MD5fc3be38373852d2441f84dbba4b2c857
SHA1214ef808a31640950ef4d07210bef0b9680681eb
SHA2567c3a86f7c88664b4a8d0cbd9f1d56833cac40dadbf69f880a8121d74b3d038d5
SHA5127de83144aacda683641780ee10a22a49be39b1f229f22489840b7ab1bd24d4a3a24b11761ca854d0ee4ee4c894560adf1c26dfe0c75052174328e0d9e871f770
-
C:\Users\Admin\AppData\Local\Temp\kdkfjh.exeFilesize
2.4MB
MD59729d33f5cc788e9c1930bcc968acffa
SHA168c662875f7b805dd6f246919d406c8d92158073
SHA2563711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae
SHA512af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f
-
C:\Users\Admin\AppData\Local\Temp\pleotd.mp3Filesize
104KB
MD57be2698f2473d5e045454955ec75e057
SHA15ce290a2b042d360cf12b751bd60eb805243c224
SHA256052f22397d86844269f3d168432e235b06e3c479cc64df131a3acc1311981342
SHA51264223de21129043668dbb3ec67babcef865a861dfb7fdf45368f3fcc53f579fcf31b8cdf61c1a05896a424e118ae0340e1b6f370b61eacf0f32937fd50c04977
-
C:\Users\Admin\AppData\Local\Temp\pxncxh.exeFilesize
32KB
MD5464d1821f7a15ad61364180aa38bf33b
SHA1941ef8750a84b4cdfe1b5f9aefb862aa95276515
SHA256cfb20098a65630d4488e23032169ea4564f92deeac6638a7607c19333e44dd65
SHA51296cc0daa0dab9aed1c6f51c9033ae21e8c26f83002a8d77428e13b6cdee05968447c2fb2b76bcbaa984c8f87be03561c08d915fd7335ddcfeedb769e8a20acc0
-
C:\Users\Admin\AppData\Local\Temp\qvixrp.exeFilesize
699KB
MD581dd862410af80c9d2717af912778332
SHA18f1df476f58441db5973ccfdc211c8680808ffe1
SHA25660e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f
SHA5128dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
216KB
MD5a6d3d1061fb61a90a933acceb1af5358
SHA1ea62a67f7a0726e76e3a849652672dd95868bb00
SHA256370ea3e983c58ed74d3ee9ec54663ff29dba195a040d0fe56c20b7554cf18472
SHA5129341af271094515df448e9ee9273e2d8a3b1101feaaeef64838c2ff908bfdc56b6afc688f117c971e1eb5adc5c8304cec936bac20ff03c23430a6e945c55637d
-
memory/1124-152-0x0000000000400000-0x0000000000671000-memory.dmpFilesize
2.4MB
-
memory/1124-165-0x0000000000400000-0x0000000000671000-memory.dmpFilesize
2.4MB
-
memory/1396-140-0x00007FFC59A20000-0x00007FFC59CD6000-memory.dmpFilesize
2.7MB
-
memory/1396-141-0x00007FFC55FE0000-0x00007FFC57090000-memory.dmpFilesize
16.7MB
-
memory/1396-138-0x00007FF67CD10000-0x00007FF67CE08000-memory.dmpFilesize
992KB
-
memory/1396-139-0x00007FFC6EEF0000-0x00007FFC6EF24000-memory.dmpFilesize
208KB
-
memory/2992-80-0x0000000000540000-0x0000000000548000-memory.dmpFilesize
32KB
-
memory/3756-166-0x0000000000400000-0x0000000000545000-memory.dmpFilesize
1.3MB
-
memory/3756-164-0x0000000000400000-0x0000000000545000-memory.dmpFilesize
1.3MB
-
memory/4952-4-0x00007FFC5F790000-0x00007FFC60251000-memory.dmpFilesize
10.8MB
-
memory/4952-14-0x0000025DB5210000-0x0000025DB5232000-memory.dmpFilesize
136KB
-
memory/4952-17-0x00007FFC5F790000-0x00007FFC60251000-memory.dmpFilesize
10.8MB
-
memory/4952-3-0x00007FFC5F790000-0x00007FFC60251000-memory.dmpFilesize
10.8MB
-
memory/5032-0-0x00007FFC5F793000-0x00007FFC5F795000-memory.dmpFilesize
8KB
-
memory/5032-2-0x00007FFC5F790000-0x00007FFC60251000-memory.dmpFilesize
10.8MB
-
memory/5032-56-0x00007FFC5F793000-0x00007FFC5F795000-memory.dmpFilesize
8KB
-
memory/5032-1-0x0000000000340000-0x000000000037C000-memory.dmpFilesize
240KB
-
memory/5032-57-0x00007FFC5F790000-0x00007FFC60251000-memory.dmpFilesize
10.8MB