Analysis
-
max time kernel
1793s -
max time network
1798s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08/07/2024, 12:00
General
-
Target
XClient.exe
-
Size
61KB
-
MD5
cba7d25f925fa34425ebf47293f2133a
-
SHA1
834b3ade6562c14834b09e2fbcd733a5651c479d
-
SHA256
3a6aabc0788476663742c854e6378a74ce1b842c2c14a9112db789b26bf775a4
-
SHA512
8bfd45e629934dc0037831f15a9e2d21d5f62c3353223da13347b46a870367e87db614f04bfc78118f43e54142fbfdb27b0c509f79af61337694e8743818b932
-
SSDEEP
1536:lSawG3K3vBzul3CHjxise5Ot+bSsVG55z6f4NO2VkGk:lKG3K3v+8FiFYt+bd25GMO2Vkv
Malware Config
Extracted
xworm
politics-installing.gl.at.ply.gg:59813
-
install_file
USB.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 1 IoCs
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Xworm
Xworm is a remote access trojan written in C#.
-
ModiLoader Second Stage 2 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 25 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 13 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops file in Drivers directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\OOK0HT5310R968G.exe"C:\Users\Admin\AppData\Local\Temp\OOK0HT5310R968G.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\HypercomponentCommon\hyperSurrogateagentCrt.exe"C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y5vl34vc\y5vl34vc.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69F9.tmp" "c:\Windows\System32\CSCB7AC6DD5EEA54CA197505CA0E5A663A2.TMP"7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\cmd.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fHsM3u1rww.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
-
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\wrodnw.exe"C:\Users\Admin\AppData\Local\Temp\wrodnw.exe"2⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /44⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt4⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\11.txt4⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"4⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1779758,0x7fef1779768,0x7fef17797785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2140 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2144 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1408 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3240 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3640 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3760 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3476 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3256 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3376 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2340 --field-trial-handle=1384,i,4798819147819371074,5581526286899883365,131072 /prefetch:15⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WMCE4SCH7ET1JTC.exe"C:\Users\Admin\AppData\Local\Temp\WMCE4SCH7ET1JTC.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "4⤵
- Loads dropped DLL
-
C:\HypercomponentCommon\hyperSurrogateagentCrt.exe"C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF328.tmp.bat""2⤵
- Deletes itself
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\HypercomponentCommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\HypercomponentCommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\HypercomponentCommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\HypercomponentCommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\HypercomponentCommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\HypercomponentCommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 13 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 7 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\HypercomponentCommon\cmd.exe"C:\HypercomponentCommon\cmd.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\HypercomponentCommon\csrss.exe"C:\HypercomponentCommon\csrss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\it-IT\smss.exe"C:\Windows\it-IT\smss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\HypercomponentCommon\hyperSurrogateagentCrt.exe"C:\HypercomponentCommon\hyperSurrogateagentCrt.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x58c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {492458E1-8C17-482E-9A14-223D50B87F83} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
-
C:\Windows\it-IT\smss.exeC:\Windows\it-IT\smss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\it-IT\smss.exeC:\Windows\it-IT\smss.exe2⤵
- Executes dropped EXE
-
-
C:\HypercomponentCommon\hyperSurrogateagentCrt.exeC:\HypercomponentCommon\hyperSurrogateagentCrt.exe2⤵
- Executes dropped EXE
-
-
C:\HypercomponentCommon\cmd.exeC:\HypercomponentCommon\cmd.exe2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\it-IT\smss.exeC:\Windows\it-IT\smss.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\lsass.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\it-IT\smss.exeC:\Windows\it-IT\smss.exe2⤵
- Executes dropped EXE
-
-
C:\HypercomponentCommon\hyperSurrogateagentCrt.exeC:\HypercomponentCommon\hyperSurrogateagentCrt.exe2⤵
- Executes dropped EXE
-
-
C:\HypercomponentCommon\cmd.exeC:\HypercomponentCommon\cmd.exe2⤵
- Executes dropped EXE
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220B
MD547085bdd4e3087465355c9bb9bbc6005
SHA1bf0c5b11c20beca45cc9d4298f2a11a16c793a61
SHA25680577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752
SHA512e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684
-
Filesize
105B
MD55ee2935a1949f69f67601f7375b3e8a3
SHA16a3229f18db384e57435bd3308298da56aa8c404
SHA256c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06
SHA5129777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
342B
MD5cfc723eb38d80cf6f55a3e95c664e718
SHA1376f62c6f1df80965456ff2d15f5d32935b21191
SHA2562108383aa5037ee84b251618c692239dc50c67a5efd60e5d0b1f99fd029c8438
SHA5129b0f5527eba4df98a171e0e34bcb960c7a8d708360db27a15704350bb9267b3dbaaf7f2a96e9eb5eff8b5d272e0c503ef3c41c3607dba43039929f696b72616d
-
Filesize
342B
MD5ece79a8b52d4632024b9ebfae546003d
SHA12eed0bb15163afba0d7a927ecd8fdbc6512ba5fa
SHA25661a1e1272394974ebbe2e6fcca50afac9a2b12aea7e795d4ba3a8453cde8cf50
SHA512ead2ee4a9de5bc88b4e143e1d23e3d5edb31f02a9eccc88e781db83521b2c051f521b7d2a24bd8cba9246593afbe9fde1b424cdf80941f2e35fee05a6eb8bc61
-
Filesize
342B
MD58583d1f06b6fdd5d34c86f462968fc55
SHA13e990c56ec8219145c876ab735715b9750129248
SHA256234a1bfe3157b16956c6032be74a3a484d0ade0118e1871a4478150a92126f27
SHA512f22ca65c76cdc53d0a09110048230819dbb98f0a5541a467314fda2f8309a6e3526cbf6a8175cb69cddeb5cebddb3aaa148abef52cf329fb3c50ca1e62b16bea
-
Filesize
342B
MD52a42abb1e6d18e624d4baf2047a2d2ee
SHA17a271d3fd85417fee3dedd90f33cc0ce631bc8f5
SHA256b90dc2f1810948151e23897d986535b06ed0f30955739d04fb5aa923a39ab941
SHA512a6438cd49ec0027e84ffe1c9e32195c5fadbaadd54d66e9991153eca066399a70bb5ae2d8e0a6f4381d913e0f96b988c2358c016400e33ac88fd97833a613fc5
-
Filesize
342B
MD5558800c27f80a65d884510b6dc8a67ff
SHA143b8a4e0d16ec0acf198f0dfa0f94b040a66be15
SHA25688f5cced5e81178ed50b14d859f436cbe01480b1b93f1ecfedb09582e08fbc3d
SHA5128082662284cf24c5b70dc3fa5abdbc77f8f696f4e13f447ebb20e68486404f31edda70b80da18db239da4202e5034cc85e16f7ba21f52dcf7aa733751c49e433
-
Filesize
342B
MD54c8f04ea7e156521b0c6c6966a641829
SHA16d25eb43eb2c7356b853f40930e7f3432c41f233
SHA2569be2a6a911a20e09faa5ba025ceeb16bae39f0537f581144c474869bcdbd5b21
SHA512ac0758a3eec9c6236c8a039e8c2ea89ca4b5058a01744effec06a430c5fac874b1ab06351f7a6bcb2ba0c5e57e51d7037cf007a88b5f811fd022bec978c50385
-
Filesize
342B
MD5ac1c23a723083a227ffb7ff431836709
SHA1e84967bf0ca7627c8ebf40e3ddb320bed026afd2
SHA256cd9d38ead19d3a374ad03e255986fdb79e226c66aaa9e1663de88c8c93e007b1
SHA512f7d6dc7ac2723f727ce06811b790c66d8cb78e3f48d827d084e349cdc37bbc04c0c859e6d9b5603eeb223da57ac38ec8ba8396a5f3d4b37224f48bd96eca5abf
-
Filesize
280KB
MD5eb4d16c71b861e75f5b9b0f2e0b01258
SHA16ad67ab5cc60760f1a9455eee403406461099aaf
SHA256ae985ae5d2a17ec8d6e77e740494a2aab48ad5939704259fe89a16f1c55f5bff
SHA5129e30ab6ef8579e360fb8856b6c82740dce195dfe3c2b4dd0a157e3ba43485337c3ac8f61e49dec1561b87989db4fbd97914635e328eb4d6cdee056c7cdec61c6
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
904B
MD580843a266a231ca9496ed76a0bdc5114
SHA1d1ec4a163a9f0d46bf8cd9c7eefb189739743b1e
SHA25696ac6686135c73426704dd06a7a804442b62e0e076e22fce9307488b175d02e7
SHA512f7a937b58c5e34d98e69e3305076388695fdc869ad9ce1b879d51c35fb0e26f4c5bf70b5d783eb2f3f1362024916b8a7951befade1bdb5de121bde173bb6f4fb
-
Filesize
6KB
MD539b3762107e9d0cf74e313f4c849b192
SHA1bacd2eac986ebb9e458165e9eea8e7aaf3680e6a
SHA2567bfc213c99a9880199ab07357150d7a11f46e4cd1532de976a43b7b404431175
SHA51236034f5960000a2b91d55c75d1755c97b6ce1a08dc75b171ffa3f3dadc27d9a65bb3c565e1c80ff7a1bfd1dbce658f6c2e68e4a3f690b18826692c0c94cef4ba
-
Filesize
5KB
MD5d38aa053b5e773e794e81938d0d091e8
SHA1120b1c1c142cc48066d94d98c1de03232f85ed3f
SHA2560cdad780d5f659c8518b1ee0dde8c0a8977d1fe708cd15174ea7bfa6f1f869aa
SHA512dd08e470b19f105f2259b7027c3b525e6ce727b7e26cdbf80466253fd408cc1f40fd36b9e5d96e29b775819d230b75b0d84a6687d2e40554bfeba947f8f6c4bb
-
Filesize
6KB
MD5c7ac6538acedfdba4977d2f6cd490798
SHA1c319a7359ecf5f66f85798b1555415c834fd2862
SHA256668e47e1b31e44eec813773dbec3abb1cfa6cbea2ede92366c1d9fe0324cfa7a
SHA512427041de6b8d92fe28574f6428db8762c58057031f42d813d96de5cf4a6feb867d5a306ca859b2a4635db32fad83f2e9568a8cca3f0b03f995fa1757e31eee99
-
Filesize
6KB
MD5baa73db865ea73c6bb1015c1f75228a8
SHA1db6f554f5d1d76fe8e741d1f8e532f8700ffd30e
SHA256835e74ace41288129e3dc33e170ebc3bd5e37733ce8ece5d779cbbc304995384
SHA512a653e197d5e00da2b3a025a4987874b9cc55331dd5eea89a6fc33d96a7344407ce2cfd62d5a715f5cc1e1a206c99fbc94a0c6bf4929898b72a58a1bafa726310
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
280KB
MD53b6c61ef5c1757a8f3366b86a1291418
SHA1dc428dff0535e9af79a2dacd4bb6e17e96335208
SHA256c2c1be38145a8de57732fd4669ae8eee8ec4250110a16dd92e8184b125d0d00b
SHA5120fb84c16f4e98178d4ad5097475cb0dd321db4fe6cba4cb5643fea04291822f43dd96159b698fbe11b87920dc4d813b89ac4fffb8fede2e7e6c4ee8cfb2fcb8c
-
Filesize
2.2MB
MD505d87a4a162784fd5256f4118aff32af
SHA1484ed03930ed6a60866b6f909b37ef0d852dbefd
SHA2567e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950
SHA5123d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc
-
Filesize
1KB
MD526f8e05b6e10dd44182a1808705c0af5
SHA1e736b334196d61326a30e0dacecd1482771da19f
SHA2563f7c4ddd2381bec95528612097e5300dde3ddc61cc6ed654809eae59d79ddbd3
SHA512bea4bec4f45441b5507ea817bb9676b9b0331db19f0d00e0cf8037b8cda0779e89fefa8f2cf8456445b22ca104300ab9cc9fcd984affea5d796671e44db473e1
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
159B
MD5835cefc9a71feb22b0a1770bef35fc4a
SHA1f0dc77a28460bf83afcfea24faa600f8254b01ae
SHA256acde76411fe5fd63b6521bbce71c826043d281f2380620d9bfc42b8bd198a3c6
SHA512d2c857aa1e0ccd000f81ccec53490b09f2f09f26dcb837192475e5a8ffe7b6da1d7dd2779bfdf2eba830e99cd57e1674189cb0c72f9d8f66ad7394bdcd3a35af
-
Filesize
159B
MD57418937b77b0319eda3da6df0df22901
SHA18bc4f23f565da0b455f1c59b737673a97bb9ab83
SHA256f7d5fcc3c4d6f9daec3c0d03a795366c12dd55d45fc6f457b3718535cdb2d812
SHA512fc0db133358db5a0f2b307cebecd0346bdd2e37f065eeb3a9dc0e574ac28123dd866aa058261fa7646a0300c72bed8d0ab7910c98bc236761c681994ceb9963f
-
Filesize
397KB
MD57951e8baa6a654f7ceb9fbedbeb84f2a
SHA1eb26db8d976b0bc52c5c0a789e1ba1fbfc961e54
SHA2562f5170b86ac950832eff0fba3fccd0d68cbfd92c077c8ac1a980f1979c5a16b5
SHA512c4ad760434be710668045921fbd5c70b0560f4ac1cb506e510220149810823b7fe337541579c3d06a0805ceee1b1be366eaf21885b5cf1bc8fc51efa958d0208
-
Filesize
7KB
MD5082924bb483debf0b18cb8455d12950e
SHA165ae077dce7f34701241513bc4cbb9fabff0c733
SHA256345d74704d447b0505d6bde2d3d18082554a912f76626bedad89ef40555a7be7
SHA512aed1384f94b7cbc4e072e505e3ea2b753c5655602cddc78d58707750d4540fd47c4ea9900f8ead1a20ea251d90ed97a936f01a0a474dc6751b580562b6e1dc48
-
Filesize
7KB
MD54192760060b4943820a2293795b6245a
SHA1ca1d8ee798f2295a8e1a7f201d458d3ade04ac5b
SHA256a83a908875974d87ce51561b8a91eda14c8026b40343c60f505a8cfb90d93d24
SHA51254ff8ad89bd22ba3e585d75577150312b026811500575bde603b5d247395bf91c6dbdc5ee37533062fc40721aa598e0777e1de446ea2f80783dffd60ca7cf1fb
-
Filesize
21B
MD5ec5b3b67455e9ac9b42560e3382c0276
SHA11cba489fbf46ffbafbc92b3e8d682a548a128513
SHA256e23695a895a580a389d684375349bd37ab2c0f0a6c4cf63ca84b559f86f0de10
SHA512ab05638069cf2410376eb169fa5782569b7b3eb1d4f1d53b699f27d7606c8df1c99f76cfaf9093d08c06a8cd46c75f40d4259455a8fb92602dce39ead7e5d907
-
Filesize
997B
MD5e43857c9fe3f73f623449cb61a9763b7
SHA175a92e117923e4a9682a04c480b451390705179b
SHA25655bae45f5b1de623d91a5c6e0acd63039e37aa41f3034f5bae254b134beb4af0
SHA5122a76184865552b2de6738ba8816579ce81d76e787cdfad00a9069a8dc021a9c2f9460097e8c2ffd61a122509e2b04466cc2fdcdb1a9c3d5e4416c35915ce41ba
-
Filesize
363B
MD5aecfaa89aa865e76add8a2d521931888
SHA1f3bc2712c21b68053a5d04a28426e69557d636ba
SHA2566089b9615a58b6915b97936c2c1f4e2a79b591e32db7fd11562b036e5284de4a
SHA512ac89458a3dd866efacd612aee8462f4296f33a755f75ad8ccf770a598adbcb0d49333976f95a27ccf9f9086b45e57c4327e82e549ab0dee7c29d633cebcfb51f
-
Filesize
235B
MD523a458f0bf6977a8aca4e6277abce57a
SHA1496118913b0cb9afd3131334ef3f9b812a5412eb
SHA256830bf80cc7b8560e8d5634bdf753e5f72781f633b7991e898d88d910cbc569e8
SHA51285a5e28951b9c4711c19643c0499402f9c9a95ace0721961b09aaec1726c00bf0050d607217d6bd2d96d22d8f5417a15a66926d2f545d102b5a947289f44332c
-
Filesize
1KB
MD5d8db284f657dc7249f8d2e9798f16b87
SHA12c9e00cba50091d4239c90f375509c8d58408ec1
SHA25667e68135a985b6d3a0d63df5c6795567cbc1d5b8f124d65662e463af4da65823
SHA5124330f819da94bcb38b930d39f016c5989e68a20780b74de751f59b759e46de031244be9186261bb245507e9ca816c1655049575a03e85339b5fc596f5b7cfd39
-
Filesize
1.9MB
MD57be5cea1c84ad0b2a6d2e5b6292c8d80
SHA1631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce
SHA2566eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7
SHA512ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
704KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
424KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
96KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
1.9MB
-
Filesize
1.9MB