Analysis
-
max time kernel
600s -
max time network
605s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 03:39
Static task
static1
Behavioral task
behavioral1
Sample
Output.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
Output.exe
-
Size
107.1MB
-
MD5
3670535d0c66e883ef860251db57cd58
-
SHA1
a2ab33e914970d615341aff4de1f5c836bb61252
-
SHA256
3334e3754179b8a49c17d76a4b89365384a2988980a01cc372553680a2425304
-
SHA512
d65e26a4e512242eab7b07fb5eb54eb1897d458a4d511d6c6ee330cde3b4c626bec3a91f4e83bfd0e48863c30d57b5bcb5a2647d96f342b31d4f8f0ee9ce025f
-
SSDEEP
1572864:wYBW7N98NbdcFzMArhkeAmWQNUxqtO9X0E/XhOVtlGQHsZT7PiHnku7dfqvPAq4:jBGN98NXAJjEVd/Xh0GQoiHku4LnBB
Malware Config
Extracted
xworm
127.0.0.1:40971
us3.localto.net:40971
Name1442-40971.portmap.host:40971
-
Install_directory
%Temp%
-
install_file
KVRT.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm behavioral2/memory/2520-13-0x0000000000630000-0x000000000064C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1568 powershell.exe 4460 powershell.exe 2432 powershell.exe 3408 powershell.exe -
Drops file in Drivers directory 2 IoCs
Processes:
812718e5.exedescription ioc process File created C:\Windows\System32\Drivers\klupd_4de68b90a_arkmon.sys 812718e5.exe File created C:\Windows\System32\Drivers\4de68b90.sys 812718e5.exe -
Sets service image path in registry 2 TTPs 6 IoCs
Processes:
812718e5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4de68b90\ImagePath = "System32\\Drivers\\4de68b90.sys" 812718e5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_arkmon\ImagePath = "System32\\Drivers\\klupd_4de68b90a_arkmon.sys" 812718e5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_klbg\ImagePath = "System32\\Drivers\\klupd_4de68b90a_klbg.sys" 812718e5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_klark\ImagePath = "System32\\Drivers\\klupd_4de68b90a_klark.sys" 812718e5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_mark\ImagePath = "System32\\Drivers\\klupd_4de68b90a_mark.sys" 812718e5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4de68b90a_arkmon_FD710C43\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\FD710C439F89CA6B7D8CAF3EE6F307D0\\klupd_4de68b90a_arkmon.sys" 812718e5.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk XClient.exe -
Executes dropped EXE 7 IoCs
Processes:
XClient.exeKVRT.exe812718e5.exeKVRT.exeKVRT.exeKVRT.exeKVRT.exepid process 2520 XClient.exe 1192 KVRT.exe 956 812718e5.exe 3152 KVRT.exe 3044 KVRT.exe 224 KVRT.exe 2120 KVRT.exe -
Loads dropped DLL 40 IoCs
Processes:
812718e5.exepid process 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
812718e5.exeXClient.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\a16f836a-9056-4520-8f42-052ee5706392 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{9c1f7ea4-5677-4ca7-8c33-72db001da2e3}\\a16f836a-9056-4520-8f42-052ee5706392.cmd\"" 812718e5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\KVRT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KVRT.exe" XClient.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
812718e5.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\SOFTWARE\KasperskyLab 812718e5.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
812718e5.exedescription ioc process File opened (read-only) \??\F: 812718e5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
812718e5.exedescription ioc process File opened for modification \??\PhysicalDrive0 812718e5.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
KVRT.exe812718e5.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN KVRT.exe File opened (read-only) \??\VBoxMiniRdrDN 812718e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
812718e5.exeXClient.exepid process 956 812718e5.exe 2520 XClient.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exe812718e5.exepid process 2432 powershell.exe 2432 powershell.exe 3408 powershell.exe 3408 powershell.exe 1568 powershell.exe 1568 powershell.exe 4460 powershell.exe 4460 powershell.exe 2520 XClient.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 2520 XClient.exe 2520 XClient.exe 2520 XClient.exe 2520 XClient.exe 2520 XClient.exe 2520 XClient.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
812718e5.exepid process 956 812718e5.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
812718e5.exepid process 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
XClient.exepowershell.exepowershell.exe812718e5.exepowershell.exepowershell.exeKVRT.exeKVRT.exeKVRT.exeKVRT.exeshutdown.exedescription pid process Token: SeDebugPrivilege 2520 XClient.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 3408 powershell.exe Token: SeDebugPrivilege 956 812718e5.exe Token: SeBackupPrivilege 956 812718e5.exe Token: SeRestorePrivilege 956 812718e5.exe Token: SeLoadDriverPrivilege 956 812718e5.exe Token: SeShutdownPrivilege 956 812718e5.exe Token: SeSystemEnvironmentPrivilege 956 812718e5.exe Token: SeSecurityPrivilege 956 812718e5.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 4460 powershell.exe Token: SeDebugPrivilege 2520 XClient.exe Token: SeDebugPrivilege 3152 KVRT.exe Token: SeBackupPrivilege 956 812718e5.exe Token: SeRestorePrivilege 956 812718e5.exe Token: SeDebugPrivilege 956 812718e5.exe Token: SeSystemEnvironmentPrivilege 956 812718e5.exe Token: SeSecurityPrivilege 956 812718e5.exe Token: SeCreatePermanentPrivilege 956 812718e5.exe Token: SeShutdownPrivilege 956 812718e5.exe Token: SeLoadDriverPrivilege 956 812718e5.exe Token: SeIncreaseQuotaPrivilege 956 812718e5.exe Token: SeSecurityPrivilege 956 812718e5.exe Token: SeSystemProfilePrivilege 956 812718e5.exe Token: SeDebugPrivilege 956 812718e5.exe Token: SeMachineAccountPrivilege 956 812718e5.exe Token: SeCreateTokenPrivilege 956 812718e5.exe Token: SeAssignPrimaryTokenPrivilege 956 812718e5.exe Token: SeTcbPrivilege 956 812718e5.exe Token: SeAuditPrivilege 956 812718e5.exe Token: SeSystemEnvironmentPrivilege 956 812718e5.exe Token: SeLoadDriverPrivilege 956 812718e5.exe Token: SeLoadDriverPrivilege 956 812718e5.exe Token: SeIncreaseQuotaPrivilege 956 812718e5.exe Token: SeSecurityPrivilege 956 812718e5.exe Token: SeSystemProfilePrivilege 956 812718e5.exe Token: SeDebugPrivilege 956 812718e5.exe Token: SeMachineAccountPrivilege 956 812718e5.exe Token: SeCreateTokenPrivilege 956 812718e5.exe Token: SeAssignPrimaryTokenPrivilege 956 812718e5.exe Token: SeTcbPrivilege 956 812718e5.exe Token: SeAuditPrivilege 956 812718e5.exe Token: SeSystemEnvironmentPrivilege 956 812718e5.exe Token: SeIncreaseQuotaPrivilege 956 812718e5.exe Token: SeSecurityPrivilege 956 812718e5.exe Token: SeSystemProfilePrivilege 956 812718e5.exe Token: SeDebugPrivilege 956 812718e5.exe Token: SeMachineAccountPrivilege 956 812718e5.exe Token: SeCreateTokenPrivilege 956 812718e5.exe Token: SeAssignPrimaryTokenPrivilege 956 812718e5.exe Token: SeTcbPrivilege 956 812718e5.exe Token: SeAuditPrivilege 956 812718e5.exe Token: SeSystemEnvironmentPrivilege 956 812718e5.exe Token: SeDebugPrivilege 3044 KVRT.exe Token: SeDebugPrivilege 224 KVRT.exe Token: SeDebugPrivilege 2120 KVRT.exe Token: SeShutdownPrivilege 4712 shutdown.exe Token: SeRemoteShutdownPrivilege 4712 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
812718e5.exepid process 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe 956 812718e5.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
812718e5.exeXClient.exeLogonUI.exepid process 956 812718e5.exe 2520 XClient.exe 408 LogonUI.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Output.exeXClient.exeKVRT.exe812718e5.execmd.exedescription pid process target process PID 1800 wrote to memory of 2520 1800 Output.exe XClient.exe PID 1800 wrote to memory of 2520 1800 Output.exe XClient.exe PID 1800 wrote to memory of 1192 1800 Output.exe KVRT.exe PID 1800 wrote to memory of 1192 1800 Output.exe KVRT.exe PID 1800 wrote to memory of 1192 1800 Output.exe KVRT.exe PID 2520 wrote to memory of 2432 2520 XClient.exe powershell.exe PID 2520 wrote to memory of 2432 2520 XClient.exe powershell.exe PID 2520 wrote to memory of 3408 2520 XClient.exe powershell.exe PID 2520 wrote to memory of 3408 2520 XClient.exe powershell.exe PID 1192 wrote to memory of 956 1192 KVRT.exe 812718e5.exe PID 1192 wrote to memory of 956 1192 KVRT.exe 812718e5.exe PID 1192 wrote to memory of 956 1192 KVRT.exe 812718e5.exe PID 2520 wrote to memory of 1568 2520 XClient.exe powershell.exe PID 2520 wrote to memory of 1568 2520 XClient.exe powershell.exe PID 2520 wrote to memory of 4460 2520 XClient.exe powershell.exe PID 2520 wrote to memory of 4460 2520 XClient.exe powershell.exe PID 2520 wrote to memory of 4856 2520 XClient.exe schtasks.exe PID 2520 wrote to memory of 4856 2520 XClient.exe schtasks.exe PID 956 wrote to memory of 3828 956 812718e5.exe cmd.exe PID 956 wrote to memory of 3828 956 812718e5.exe cmd.exe PID 3828 wrote to memory of 3832 3828 cmd.exe PING.EXE PID 3828 wrote to memory of 3832 3828 cmd.exe PING.EXE PID 3828 wrote to memory of 4612 3828 cmd.exe PING.EXE PID 3828 wrote to memory of 4612 3828 cmd.exe PING.EXE PID 3828 wrote to memory of 1648 3828 cmd.exe reg.exe PID 3828 wrote to memory of 1648 3828 cmd.exe reg.exe PID 2520 wrote to memory of 4712 2520 XClient.exe shutdown.exe PID 2520 wrote to memory of 4712 2520 XClient.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Output.exe"C:\Users\Admin\AppData\Local\Temp\Output.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KVRT.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KVRT.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "KVRT" /tr "C:\Users\Admin\AppData\Local\Temp\KVRT.exe"3⤵
- Creates scheduled task(s)
PID:4856
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /s /t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
-
C:\Users\Admin\AppData\Roaming\KVRT.exe"C:\Users\Admin\AppData\Roaming\KVRT.exe"2⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\812718e5.exeC:/Users/Admin/AppData/Local/Temp/{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}/\812718e5.exe3⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{9c1f7ea4-5677-4ca7-8c33-72db001da2e3}\a16f836a-9056-4520-8f42-052ee5706392.cmd" "4⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
PID:3832
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
PID:4612
-
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v a16f836a-9056-4520-8f42-052ee5706392 /f5⤵
- Modifies registry key
PID:1648
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\KVRT.exeC:\Users\Admin\AppData\Local\Temp\KVRT.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
C:\Users\Admin\AppData\Local\Temp\KVRT.exeC:\Users\Admin\AppData\Local\Temp\KVRT.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
C:\Users\Admin\AppData\Local\Temp\KVRT.exeC:\Users\Admin\AppData\Local\Temp\KVRT.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224
-
C:\Users\Admin\AppData\Local\Temp\KVRT.exeC:\Users\Admin\AppData\Local\Temp\KVRT.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a34855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:408
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5437395ef86850fbff98c12dff89eb621
SHA19cec41e230fa9839de1e5c42b7dbc8b31df0d69c
SHA2569c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6
SHA512bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64
-
Filesize
944B
MD54a7f03a7ad1cae046d8ceac04256e5ae
SHA1ef0bf767c91cba32b33c0b48f74f5eb153ae43d3
SHA256e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60
SHA512382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d
-
Filesize
944B
MD505c6846bbca7b01c6f834b5f37da43b7
SHA1e88c19451c20bb658df2ad4e14a21d2290e28f9b
SHA25675fab4b59d3340da36c26678b271939175aed633c3f988f5f44c5634a4f0fff3
SHA51248091404c6136e24aaf9488592d935ec0a4a40997a549aacec96c58ff49ee4c1262eabd354dbd194f3bbaa565d23165499ca22293fda4d0b3c7a6f5e87cc7783
-
Filesize
944B
MD5c24caab1947646fcc49d6158d78a56f5
SHA1aa2cd00401eb273991f2d6fdc739d473ff6e8319
SHA2560696315ad3df3edd5426276c265bd13d8bd2a0d101548bcaedd82e2aebde655a
SHA51235e1d214dfb4c7f078496e3e303aea152aa48f9db5b9aa188aeb82b541582ed77f60bfe8712836232b5aa31d3645edfc79b42c8f90e92e06778f21aa44971bff
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
377KB
MD5fd710c439f89ca6b7d8caf3ee6f307d0
SHA15273c87564d9fcbf99b846195ea8bd3102d65a76
SHA256ca317c531bdd3a23d401a242a904e8eb81401c79073eee470b6e1078f3645faa
SHA5123df58ac276362fb7d7999bc8e902f22e9ee1501ee2e4f653e58595d411752e18bf7ee0cbc95766ecb8da34a5ebd3a11fd5bbf5450b1c01fd3ed8ee0e22183b09
-
Filesize
2.6MB
MD537226eb4f1c7a0b79275c1401f83cc6d
SHA171ed962d1e0d212869d92c23d6e20a4e1e7ad430
SHA256be00dba953a6f26990e020bdc4e3f13e5799a3ff60384768ee6c1af37c656a4d
SHA512afea618c795406a49d159e1359e76168dc6b6dee07234666d21ee21bb5011fe9af57a3425e76126f2595e3d180cf2121db5d02258d7aca77b3c4d8621a8aa15d
-
Filesize
2.2MB
MD538717f028f7df6e29996dabe26375956
SHA1328c0ed49e079999ad0cc7c1315375b77531c8c9
SHA2569db65ebeaf888b6cc99c06d0f063e48932feb27f25b5350d9d870e9ce40d1e10
SHA5124c6de66d71527c1c0e8d666e85dde671ca6b2705e5e4584487be265f25c6369f5512c0601d251192c56ad44bec538161bded7fcfcd3a578cddf76d7617af237d
-
Filesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
Filesize
4.6MB
MD502b21d6184ec835fba23088e7c7368e4
SHA12386e5cd242ad6abfadecc2d8ba416125f0bde56
SHA2565967b2240167500cfbb602408833776fb9be95ee404ad2bbdbdde18c752aaefe
SHA512e8b15e68c61f1a0f78fa4f4821a636e07ab3a87699fc45ace096d080d7bda62534af7acf93b9a32d730b0403b52dc1eac8df9175ae02d5f6f829c7849e340eb9
-
Filesize
4.8MB
MD58fd0c7b86b4988b234614944edb565a7
SHA1120015375d66f6e3f1c889cbada3efc4f8ff7f5b
SHA256449a105683a27ebce39f2a7a0fb413cbe2eb2df8c2c8f51870a40e9eb9708a7a
SHA5123e92401ee9ed0dd51fe95f963378caa73fe07bae0186406b9689519d6b75926b5027339ea52c8643c92c21b621ddc05056a1338f0114a6902c2897406cf371f7
-
Filesize
4.4MB
MD58751f0205fc7a87b46afae8ceda42d90
SHA1d7e41a64c09f580d9e63ff5ffc8ac37d1f7da4c1
SHA2567273600d11889adba9287e6d5a3b684a9d902d1b4db8cedec21562fa00c436cd
SHA51218466c4c4b6dd07445862d8e6a84825b8b0edeaa95dc8fe58741527d5dd20cbfc7672825108acec69bae506b41fb01fc6413401759db3d8265503fea88ed9bba
-
Filesize
1.3MB
MD5fe0964663cf9c5e4ff493198e035cc1f
SHA1ab9b19bd0e4efa36f78d2059b4ca556521eb35cb
SHA256ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39
SHA512923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea
-
Filesize
619KB
MD581172e3cf5fc6df072b45c4f1fb6eb34
SHA15eb293f0fe6c55e075c5ebef4d21991546f7e504
SHA2562a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57
SHA5128dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813
-
Filesize
51KB
MD5184a351c4d532405206e309c10af1d15
SHA13cf49f2275f3f9bd8e385eddcdd04e3fc2a17352
SHA256ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6
SHA5129a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341
-
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798
Filesize368B
MD54b03934418970c06f092afe3d2155bf1
SHA156a0e9666c3ee0071d70b9d2b364666fbb93068c
SHA256c3a63c68ae58f008e5eb52c8e515fe6f5f978e3a8e33ff3c4c4ec43b186486c6
SHA5127846f929ec6d68397c60155202365bbbae28c5faf053c67469b378bd059ac7fd8575ee4973d905e51471cabeadcf3251d229057fdba70eb5df478ab4eafb39f8
-
Filesize
61KB
MD53d9d1753ed0f659e4db02e776a121862
SHA1031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f
SHA256b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2
SHA512e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92
-
Filesize
1.2MB
MD54003e34416ebd25e4c115d49dc15e1a7
SHA1faf95ec65cde5bd833ce610bb8523363310ec4ad
SHA256c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f
SHA51288f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84
-
Filesize
703KB
MD598b1a553c8c5944923814041e9a73b73
SHA13e6169af53125b6da0e69890d51785a206c89975
SHA2566fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8
SHA5128ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363
-
Filesize
409KB
MD5f56387639f201429fb31796b03251a92
SHA123df943598a5e92615c42fc82e66387a73b960ff
SHA256e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c
SHA5127bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e
-
Filesize
3.4MB
MD5c6acd1d9a80740f8a416b0a78e3fa546
SHA17ea7b707d58bde0d5a14d8a7723f05e04189bce7
SHA256db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f
SHA51246c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d
-
Filesize
158KB
MD59bf7f895cff1f0b9ddf5fc077bac314c
SHA17e9c0ce6569c6f12c57f34597b213cd4d8f55e68
SHA256d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4
SHA512d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67
-
Filesize
368KB
MD5990442d764ff1262c0b7be1e3088b6d3
SHA10b161374074ef2acc101ed23204da00a0acaa86e
SHA2566c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4
SHA512af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4
-
Filesize
87KB
MD5a69adedb0d47cfb23f23a9562a4405bc
SHA19e70576571a15aaf71106ea0cd55e0973ef2dd15
SHA25631eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d
SHA51277abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820
-
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qgif.dll
Filesize45KB
MD5213734f42848f6cfb91b5d0f80a352dc
SHA172060bb18421eba12591e923929bc70b200b26fa
SHA256ed3a7867931a8c05d267a62522223ca78bd435d45af6dfde116e7eb72c2fde7c
SHA512913afbd6e950f61d038f81ff7f0f08986469ee11cd7202cc0598d9caa7a4200e9e8e5e23f0c5062e01a6ef908e92a52f35dcf60f1af77a075200e8db466df807
-
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qicns.dll
Filesize54KB
MD54d1fcfe0e08da0bfd61ad27863f05a8f
SHA151a9c2d12181b66f3f9fd9137a699a715df8d2fd
SHA256b95d07323612b27e04a716a3894e46a723a457e8c0be37ee838573eaee1624ab
SHA5122251f8c7bdfa0ad6cda6d619f6df1cef76e8f317119ec4b495d0d98351e77e5f7c678f49f9c8c6eefadfee175304d00757689ff35f8c77693b2ea3435dac2aa9
-
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qico.dll
Filesize46KB
MD5f463183ff33be64d8a61fc5d61b16064
SHA15a2d6a62d293e8335d787c1e4681cca7e953b20a
SHA256e4773864ec821c90ff7b2b6a081c4abd7b9fb10829b7e067521b0b18d4e75422
SHA5126576842034440b4329a6cc99e419913316e2bb869e20053238add0adf23eb9e35e32ec758c93dddc8162c64049690db177791c11ed7fbdd2ef4780c6be0dbf2c
-
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qjpeg.dll
Filesize258KB
MD503e1249b16b47fd240283f44636f6087
SHA1e0a02adeee91ff330891ed93428956f1fb90ef44
SHA256f1b0528f0b43b798b78580363f19bb75e68347755ef84bbf313cbb1c9fa649b2
SHA512287a13ebcddb151cd37ec60b47c6f674730d1886ee53d4a864e62d23aca084d9b3a4e0b8eefc07b8e1aee2e40a6b7327602aa547f1afc63dc4b254abe14749f1
-
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qtga.dll
Filesize40KB
MD582a65b1ce5a7041da64290b66a6a1c8c
SHA1577e7174b02182ada17328cbac3ac1d3605fc023
SHA2566da0850ed1f6d93e1d99cecc31153e8993b7b20d68308c248c71e9af4c061336
SHA512bbc0fd32e8bdcac4d7f5fac77d9a4386be671b9d6c18d14ac6807e521a0f5192af91e106e0a3258653afbba625c09f79542f1fd7a1eaf97d9b5b98cbd2bb1084
-
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qtiff.dll
Filesize342KB
MD5058a1449a4656fe891bc589ea61434b1
SHA18803afd1bb77e4804925610e6a94361a1e26c4d5
SHA256fc271f33b879c7966564d04f698b7fd77d806e61107574d1240502e7c7666f26
SHA51291f43f8062095044ba41fea9fd4df490711f131437ee90a0354a629a7677c9c7fce84b1c1165e07a2b8c4e58beb1d66d953c1034923c986a2288553221761ca9
-
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qwbmp.dll
Filesize39KB
MD543bc7f0b0b91676368db78d61e83edd3
SHA1628228c8c477f2e6e8d6f2f9dd8cc72b894d5fe6
SHA256fe95bdae47201a7788c2cb18042c7eafa0041fb6ce6b2ea7e7d5ffd656086583
SHA51211e847fe59e28bdbf7448846b88578f5b0a1d6b1d7c11a80271d833ad540991d83cc1b89c2b5bfaf9b5dfa68dae538233575fac3b6f1cd5f09398b400b421872
-
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\imageformats\qwebp.dll
Filesize412KB
MD5a23c6a3494e296a521a08dd2d676eb3c
SHA1260ccb3b2f454bda853d003e3b71fb0789858873
SHA256e58be278a435f44bf10e13d81fba5349d0f5ea224701c91f992276bcea173856
SHA512a99eea4b72d20e34c37e0c7971f6e467b2421ff99f059c46f76d961093eea27d031edbd907ed2a99bc9ddaea9ec5b0980871b4a018284c3c324e59c00491b11f
-
C:\Users\Admin\AppData\Local\Temp\{096ffa49-d3dd-476f-b2e0-dff9e82b0a1c}\plugins\platforms\qwindows.dll
Filesize1.1MB
MD5869b64be13907d16f8108d4e46eb1ae4
SHA1abf528676719f69a4d2f85147dc683d1c9bb606a
SHA25693debc8c092905993932b16f165e0b959639920d0af6156a64b9c947784fbe73
SHA512cbd294354d5f84103b7c2f31cca6ee7f390c7852266478fb790cdd2448b1a563ddc6fcf7e351b4b28c3f5e23a52a442064ed75409f076752d0d94f133c9d7e96
-
Filesize
11KB
MD50cd7bac19edb301ce1b501bfac07acea
SHA1d66a1ba1d9a961b5f44d8d3356c79d60c7ae81d6
SHA256f5d7c50ab67ff498fddf257193bea1ad496613c611b962a31ca39f96ef16bc05
SHA5129a744bd7829716afe7249094a63609c32da0a8988f9cd1881be6bca809a9f120521e7de1a30180581a8bd6f662ae18a8ac88629d404b807602e5a45a5f8ddb0a
-
Filesize
6KB
MD51a3330c4f388360e4c2b0d94fb48a788
SHA1127ad9be38c4aa491bd1bce6458f99a27c6d465b
SHA25601b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d
SHA5121fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
C:\Users\Admin\AppData\Local\Temp\{9c1f7ea4-5677-4ca7-8c33-72db001da2e3}\a16f836a-9056-4520-8f42-052ee5706392.cmd
Filesize695B
MD523d70ff4228e63c8a1128e2663a04791
SHA1caabd3997ac9c87e57768560c988aa5113f20812
SHA256a1459b836dc6d28a1014006848cd39e1ff47296d676070792355056b28852923
SHA512a4a60fe1338431d50a291c101724face50dbef134bae490e80420a114606c6ce89ccf8e8166a1d695dde4a65965df6dc50ef658817c430f2bf3db5c8ce8cf8bc
-
Filesize
88KB
MD5895d9cd4167756a8cfb44977286f84ec
SHA1e26ce2bec5d62b7914c43545c59d097260cc7673
SHA256f3090015a11a8d27705cb5b1a89834a7f96c64ca15313138a68089a2705092df
SHA512a913d27b5df4b1df88541f142ead5c9a533218452f1c1509e540f878e645e616b62b5246c64065940f5c28330433d699f8a5ad1cf2b6667234ae5508ad27f58e
-
Filesize
350KB
MD55ea5aa37289ae16948dc771223f94160
SHA1640392a0d01521cb0e4485d5641f74e64e1f38aa
SHA2564b1fd5753737f72f2b8cb0fb299c6c0e3857df69dc19931351d9784f52f307b3
SHA5122721db2afd55f6abbe54b5865cb41f72216a52cddb6d07721cf0bd1b76fe58b47540467ce9b503ab56e4c614765c18f559b17d73479a4f5a0fae8f6093772455
-
Filesize
179KB
MD5ed6cd641a02baf78ecbe069e0b18b3b0
SHA1cc4d47d1d0fcd3deb841f58923ac309f3be42081
SHA25666e7b89188e292d0abce941fcb2469e515e2a1bdbe07ad9868a34feb5f47005d
SHA512cb945fa49683b92841a7a915c73eb11b00fbceee8715a166d256cab0971dc4b4d8b2c7ad3c96e4efb73a7ea9c43ef6bfc9ff3acaffdc08df40b00048ea903abb
-
Filesize
259KB
MD5124a94969ce6660453ccd66e40ecdbb0
SHA146f7ad59b93bc1b78f76fc973ce728c7951352aa
SHA2565938747dbf6aea335fdf9131fc912452cee781dff8be61750a9b2ef384b5f835
SHA5123b25bc9eead7f09350c81bca4eb1a11c5332b128918802385d15fb35d017bf2a5eef64966c3e6bb74d4450d794327a1a81c0521dda8b742fda17c0bcc50079e0