Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 10:48
Static task
static1
Behavioral task
behavioral1
Sample
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Resource
win11-20240426-en
General
-
Target
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
-
Size
515KB
-
MD5
148b2c38cf0726535d760a703f803c80
-
SHA1
107503ca149f547d4745fe9b9a3fbae03d60126c
-
SHA256
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
-
SHA512
6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd
-
SSDEEP
12288:EMbx504bFjsNfn8lmwaYy//2hWc8CYBMQI4aqNA:Lbw4bR689aYy//2hDPYBMQI4aqN
Malware Config
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%ProgramData%
-
install_file
cmd.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2120-44-0x0000000000400000-0x0000000000418000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1996 powershell.exe 4816 powershell.exe 4524 powershell.exe 1564 powershell.exe 2948 powershell.exe 1832 powershell.exe 4148 powershell.exe 4292 powershell.exe 3296 powershell.exe 3960 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe -
Drops startup file 2 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe -
Executes dropped EXE 4 IoCs
Processes:
cmd.execmd.execmd.execmd.exepid process 1404 cmd.exe 228 cmd.exe 388 cmd.exe 2324 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe" 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.execmd.exedescription pid process target process PID 2012 set thread context of 2120 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 1404 set thread context of 228 1404 cmd.exe cmd.exe PID 388 set thread context of 2324 388 cmd.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5004 schtasks.exe 2980 schtasks.exe 5112 schtasks.exe 4712 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepid process 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepid process 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 4292 powershell.exe 4292 powershell.exe 4292 powershell.exe 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 1564 powershell.exe 1564 powershell.exe 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 1564 powershell.exe 2948 powershell.exe 2948 powershell.exe 2948 powershell.exe 1832 powershell.exe 1832 powershell.exe 1832 powershell.exe 3296 powershell.exe 3296 powershell.exe 3296 powershell.exe 3960 powershell.exe 3960 powershell.exe 3960 powershell.exe 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 1404 cmd.exe 1404 cmd.exe 4148 powershell.exe 4148 powershell.exe 4148 powershell.exe 1404 cmd.exe 1996 powershell.exe 1996 powershell.exe 1404 cmd.exe 1996 powershell.exe 388 cmd.exe 388 cmd.exe 4816 powershell.exe 4816 powershell.exe 4816 powershell.exe 388 cmd.exe 4524 powershell.exe 4524 powershell.exe 388 cmd.exe 4524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepowershell.exepowershell.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.execmd.exepowershell.exepowershell.execmd.exedescription pid process Token: SeDebugPrivilege 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe Token: SeDebugPrivilege 4292 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 3296 powershell.exe Token: SeDebugPrivilege 3960 powershell.exe Token: SeDebugPrivilege 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe Token: SeDebugPrivilege 1404 cmd.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 228 cmd.exe Token: SeDebugPrivilege 388 cmd.exe Token: SeDebugPrivilege 4816 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeDebugPrivilege 2324 cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepid process 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.execmd.exedescription pid process target process PID 2012 wrote to memory of 4292 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2012 wrote to memory of 4292 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2012 wrote to memory of 4292 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2012 wrote to memory of 1564 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2012 wrote to memory of 1564 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2012 wrote to memory of 1564 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2012 wrote to memory of 5004 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 2012 wrote to memory of 5004 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 2012 wrote to memory of 5004 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 2012 wrote to memory of 2120 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 2012 wrote to memory of 2120 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 2012 wrote to memory of 2120 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 2012 wrote to memory of 2120 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 2012 wrote to memory of 2120 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 2012 wrote to memory of 2120 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 2012 wrote to memory of 2120 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 2012 wrote to memory of 2120 2012 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 2120 wrote to memory of 2948 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 2948 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 2948 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 1832 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 1832 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 1832 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 3296 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 3296 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 3296 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 3960 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 3960 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 3960 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 2120 wrote to memory of 2980 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 2120 wrote to memory of 2980 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 2120 wrote to memory of 2980 2120 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 1404 wrote to memory of 4148 1404 cmd.exe powershell.exe PID 1404 wrote to memory of 4148 1404 cmd.exe powershell.exe PID 1404 wrote to memory of 4148 1404 cmd.exe powershell.exe PID 1404 wrote to memory of 1996 1404 cmd.exe powershell.exe PID 1404 wrote to memory of 1996 1404 cmd.exe powershell.exe PID 1404 wrote to memory of 1996 1404 cmd.exe powershell.exe PID 1404 wrote to memory of 5112 1404 cmd.exe schtasks.exe PID 1404 wrote to memory of 5112 1404 cmd.exe schtasks.exe PID 1404 wrote to memory of 5112 1404 cmd.exe schtasks.exe PID 1404 wrote to memory of 228 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 228 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 228 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 228 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 228 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 228 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 228 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 228 1404 cmd.exe cmd.exe PID 388 wrote to memory of 4816 388 cmd.exe powershell.exe PID 388 wrote to memory of 4816 388 cmd.exe powershell.exe PID 388 wrote to memory of 4816 388 cmd.exe powershell.exe PID 388 wrote to memory of 4524 388 cmd.exe powershell.exe PID 388 wrote to memory of 4524 388 cmd.exe powershell.exe PID 388 wrote to memory of 4524 388 cmd.exe powershell.exe PID 388 wrote to memory of 4712 388 cmd.exe schtasks.exe PID 388 wrote to memory of 4712 388 cmd.exe schtasks.exe PID 388 wrote to memory of 4712 388 cmd.exe schtasks.exe PID 388 wrote to memory of 2324 388 cmd.exe cmd.exe PID 388 wrote to memory of 2324 388 cmd.exe cmd.exe PID 388 wrote to memory of 2324 388 cmd.exe cmd.exe PID 388 wrote to memory of 2324 388 cmd.exe cmd.exe PID 388 wrote to memory of 2324 388 cmd.exe cmd.exe PID 388 wrote to memory of 2324 388 cmd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1DD4.tmp"2⤵
- Creates scheduled task(s)
PID:5004
-
-
C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"3⤵
- Creates scheduled task(s)
PID:2980
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:81⤵PID:3456
-
C:\ProgramData\cmd.exeC:\ProgramData\cmd.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC94.tmp"2⤵
- Creates scheduled task(s)
PID:5112
-
-
C:\ProgramData\cmd.exe"C:\ProgramData\cmd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\ProgramData\cmd.exeC:\ProgramData\cmd.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA30C.tmp"2⤵
- Creates scheduled task(s)
PID:4712
-
-
C:\ProgramData\cmd.exe"C:\ProgramData\cmd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
515KB
MD5148b2c38cf0726535d760a703f803c80
SHA1107503ca149f547d4745fe9b9a3fbae03d60126c
SHA25630a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
SHA5126b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD54311ae8171a1b4b6f3112bd3e242841d
SHA179bc53d0cc2de993934c92bf8aa8cae2805240d1
SHA256fbd07a3f61985b3e073181648352c65673ccc25b88605fdf5712db50a162763b
SHA512f2f431a04317b3dfe48fb41a97d2e63120e3c8dfe5cf4fccb289d593d4e4f2c6e0d7d110b166ea40d04a137027199da95041d99102bf4966035f6154cc43512c
-
Filesize
18KB
MD5f37a5347c5e0303f901aa11f16889f2c
SHA1fc18b5e5c7ba9ec1bb6a6767b33c27483b30076d
SHA256200639109561a487d0f32220ca00f20bca9006e23515c83e2eea4fc9670993fa
SHA5129089ad71d140240493c94a8fe341c828bfcb9e975598c26118a287688283da4010a5d2aceec755ff3b29f8054df07ba0abfdae8b86663388b77bb407b441a1c8
-
Filesize
18KB
MD5c0f92d8499fcb499af77ae87dd1db298
SHA1213943a776a71477968630cdf186d96d5e483ed0
SHA2561ab10190fb93b1e5686e6fe58f282a9bc57661efb02804a429e40a71387b54de
SHA512879d04940152cbb1b14a737a8511a2f8d603291b770533242335cdcfb089c698d0e29ac10d86f6f875ca11a0932fc92774010c45227a2b797cb8f87069506982
-
Filesize
18KB
MD5b2ce37edad0a562c40c60e2d49b96254
SHA1eb28bcd9d384eb37b2ce9dde9fa09246477c992d
SHA25634bd2daa5eb370cafe05f7b0273a95d2324c8f3506a8f9c8e2c45ab667959b9b
SHA512a04051636a503fe31f0b3dfb1f88902dc47f9a61352251ab7533684a3a4119e791673cf3827bdf1342fe494b35c3d24540ece6925224092985c91201490410f1
-
Filesize
9KB
MD55a63b093c01b02ea37355b389a0bd7df
SHA1c25eba0c42312d79dcccba8c67e9ff8ccaea7dc0
SHA25699d6f796bb03d36a78a2e37d059f209baa0541b26ae23efe596bfdae5e428f14
SHA51221e0cd7568d8264d78b7d852a5d18eeab8680e6c7a865a8aa7459f7dca497ccd942558150077357938de43348bfd4498a0fc5c8bf05a5e05b2e16ae91cd9c438
-
Filesize
18KB
MD5116d4b6595f977aa65acc5d1b2c09cba
SHA1c52ff1e93b089098fc153bc3f5ad4ad6ac145fc6
SHA256fd876fd6736d858e9eacb67db89079cc3392b69ef8f443be6fddcdf8ad78a1d2
SHA5123d76df969e17092aecfa364b8ff29ec3d33823d43d2b4152917a7197d668f9645ddc91dbfce30ad255efd6533c0dfb9cc9910f6d228c2fb9115914d662e329fd
-
Filesize
18KB
MD59ac4f0123bc33d81d3f59f95955c457e
SHA109f0880a463c8ce183c8b32b28d283a9e2bcc246
SHA25645811a97c9afbac5faadb5c5e0f6340fc8f7781aa3f013df0efff9eb9e24d23f
SHA512c9f25f716bd7848c1497f26b2e0a362f1ed641ebc45bbbc24a88d0b9c2cfec2a8df40a44471b4a2c1b1771d8b62ceed67b4276e5d7dbde678e7d759051ae9bd1
-
Filesize
18KB
MD53d93e9b3b1828d167b45a70a3d585191
SHA1293da9aab3091897ca5580f7aae9d77cdc11a2b2
SHA25680fe0d5a7ae8fe54487d23b2521ef26a04abd7dff54cfe1930bcccee0f2d66d0
SHA5120f96c187c97a435856ad9514e429b67628ead7c44b78886ab0229ff36db0069d12511ca07017e508e16cd588888b5b634c5a7c0b910cd452f232acd3f364cb98
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD547a1349d06eae691dabf98cc933f2e0f
SHA1ce62a5aa67e8c167aa0b6b64ecbdac7d29f4730b
SHA2564b91eb0a8142ae93d284d57613f21a8112fcbea026dbf4e810cf130d0ed51bcd
SHA5125d9ad8bc9340ed851cf2a76158cb91b122e1bd52322fc131bb49a1c959e628197aad3cc56f215c9488ea161f9137dab0ad8ed6cffc87726447b662e2830eb92e
-
Filesize
1KB
MD5c61ec9a30fca46b0b8f3edb41b0e0bde
SHA1508f13282b4d41009f60dddc939246bb41c5beb6
SHA2564972ec42fe96e910399b8323b6af5f8a80a966ea567e8d6ee08558c6c750b15b
SHA512b2dc4c652e4e5388cd00e6ad041fc639ab2c82f25bed82b12bf3d4f685985f3a0e1b73c83d99e872d4149fbc59a161b285a4c0f2ba3b3c6a6cb3fba80f6936f6
-
Filesize
1KB
MD5a58e024a498d2d65891d53c48db4359c
SHA122baf45820cf21b769debfa98d4afcf2b7306161
SHA25638cce372b260b28b834ccf81a6628bfe43f449c3a391e1ad7913efe33162230a
SHA5123d99f7fa228d27499eab0343622eec0d54e45d40a2828cd10349155d35a26a3d1220c1bfcbc8f6507c44db9a034dcfc0e0bb6b06bbbd2e786a399a89cfce3500
-
Filesize
1KB
MD580e59a8b52173ac74b711bc8a50c85be
SHA1931d8a1b799b6537bec2a980952a1b553732d5ae
SHA256b669b5a788b72fcf3993906424a416f4e3c4e20ecb7cb7fad9b7796f85d0f320
SHA5128394be8a38f83b87092031714cc71837033b879462bdfab41605a1a9a51e641215d521473612757f38b6e21b930cc5fe43545dc6de2a2c8bc96e0b9e00d5229e