xworm | 6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

max time kernel
332s
max time network
338s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 16:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

писька чит.exe
Size

71KB
MD5

ed3794861ddc34b4748ff8081e80cb2b
SHA1

e63cf084552f0c2803de0109e3d2fcd3102c4738
SHA256

6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f
SHA512

df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03
SSDEEP

1536:EYB+O1NIBlJ4wlA0B4GI0b0xEPdB8QlOrIXt6fT+S1va+OuPyGV54:EOgQwlRB4wb0xEFBdMIk+S19OuaGV54

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

main-although.gl.at.ply.gg:30970

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2596-1-0x00000000003D0000-0x00000000003E8000-memory.dmp	family_xworm
behavioral2/files/0x00100000000233fb-71.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4876	powershell.exe
3396	powershell.exe
1108	powershell.exe
2824	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	писька чит.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\compmgmt.msc	mmc.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662258409905438"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4876	powershell.exe
4876	powershell.exe
3396	powershell.exe
3396	powershell.exe
3396	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5500	mmc.exe
2008	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	писька чит.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2596	писька чит.exe
Token: SeDebugPrivilege	2008	taskmgr.exe
Token: SeSystemProfilePrivilege	2008	taskmgr.exe
Token: SeCreateGlobalPrivilege	2008	taskmgr.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: SeSecurityPrivilege	5500	mmc.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe
Token: 33	5500	mmc.exe
Token: SeIncBasePriorityPrivilege	5500	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5500	mmc.exe
5500	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4876	2596	писька чит.exe	94
PID 2596 wrote to memory of 4876	2596	писька чит.exe	94
PID 2596 wrote to memory of 3396	2596	писька чит.exe	97
PID 2596 wrote to memory of 3396	2596	писька чит.exe	97
PID 2596 wrote to memory of 1108	2596	писька чит.exe	99
PID 2596 wrote to memory of 1108	2596	писька чит.exe	99
PID 2596 wrote to memory of 2824	2596	писька чит.exe	101
PID 2596 wrote to memory of 2824	2596	писька чит.exe	101
PID 4704 wrote to memory of 4428	4704	chrome.exe	114
PID 4704 wrote to memory of 4428	4704	chrome.exe	114
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 2100	4704	chrome.exe	115
PID 4704 wrote to memory of 4376	4704	chrome.exe	116
PID 4704 wrote to memory of 4376	4704	chrome.exe	116
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117
PID 4704 wrote to memory of 3224	4704	chrome.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4980

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc183dcc40,0x7ffc183dcc4c,0x7ffc183dcc58
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,5040188313230381096,5438794740216056530,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2216,i,5040188313230381096,5438794740216056530,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,5040188313230381096,5438794740216056530,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,5040188313230381096,5438794740216056530,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3292,i,5040188313230381096,5438794740216056530,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4604,i,5040188313230381096,5438794740216056530,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,5040188313230381096,5438794740216056530,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,5040188313230381096,5438794740216056530,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:5200

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5396

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5500

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\RequestPop.cmd" "
1⤵
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\RequestPop.cmd" "
1⤵
PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\RequestPop.cmd" "
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
1⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
1⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
1⤵
PID:5756

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fd816bf14db137af4ab209c8cd9a1268

SHA1
bf5bd678e82c69aa1e03a6a34ada8c430b10394b

SHA256
fe29287ceefefea26e76b6097939e0823b597442f9bd0f81578a2dcb91e664da

SHA512
908d0b05ddcb83d49ab176a98a62f182900b94e6001385627e8094d16e7c49343a5a2d3c815dba3b3ef242a2e36ea223bd9bfad04c24af2ef46eb5123d8fe8ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
85afe0690003cc85d0d32a8222592cfc

SHA1
02ec212b616fa208d44c450ba91a18e950068880

SHA256
5b0bd5b5e07206bcf14c58a851171bed8c64738a54dbc080de81a4334a7c9cf7

SHA512
8d06d933d50ea7b06223dcce464b0e59b25836fb61b2df04c46fa734367626870d041f7eb375669f8ed90f99f37caf0e051b39427436c06d0cd6d85d9c59a5e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
8f20957ce55d9817b143818193a19e2d

SHA1
18e641c4d07b1883a0f871185e7c032033dd028f

SHA256
5053a9b107a67540e4f281a669bcab00406d8801a692d02448135c9182bae17f

SHA512
b18d42dadf7c4add99e297e84082896ce41ff745c013017da6374b732cba1de1b008180bf54833c0675ddf4af09ffcf714ba7d20bd6599f201bfa370cefeab72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ab89c8bcaf23c060a14b860fd384840e

SHA1
6a400619a4c0763d208803dba7221d978cb32e3e

SHA256
dfe08862c54878df04f22cbfddc9b0e964148d3c3357c3fee68e82ece100a060

SHA512
7e5c5ba1459d0daef3e8b54b3a6b59d85b6dc9c29bce2efec0a4fb166f6d7fdd47581939ea37d4235803b4fa5ffe1eb3e930f79e9e162ff73f235e4e88429dc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6c4e822838cfadce67810ca73e9232b9

SHA1
c2552b929e82a8e66634825f537721603951f551

SHA256
f5d95832cb106281e005ac3ad437694adad58d7ef5ff0e60982c1ee7414d9aed

SHA512
0ad82eea8c8a347a0230e5ac9fb4823e40b563520f240d7e211fcfb001bb48db0c0de6cc69077ea25ff67f4f645c90872b06424b1fe61874742c863d830d0cbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f8626281311cb3991d56df93e97dca84

SHA1
46fb05e57fd5d2b85b59d95133dc704f625e3d93

SHA256
aee738eef66dbc2b88e01a69057913ee2f69bdb04af5eaa4d45da1de0c281643

SHA512
e79a94992f9e5076e9383ebd1b1175b3682e1cc150c1f7f928848b8b134945710d145727a9099c55d3accd33b2a3ccd8f01e1dc96ed2211f26e5aa5f35cfb906

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
973c30ee8a85de926e8d26c79b99bdce

SHA1
110cd651614a5a268db316f3f34dd8c3a0a16550

SHA256
ab726caf99509e40fcd6cf69ee0a17e315427d9ba638648c9848f9e2ff454c56

SHA512
8dfc9829365547ba66994837566f7a0ee20b485442e050e988470bea9f499294e80df84291780198896b4324496359d63aeb5d5f718697a3e01ca46824aa3899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
d4951d28393b5b2057789888507371fb

SHA1
7a14b01b39962cfa273a7f2fdc8203fae30cfc0d

SHA256
e639e858bf8e8c65742c999f92b81d7716a1d071a690abfcaae9d1824b9854e9

SHA512
b9d66e014a2d9e65c8e8f83074607f67e62d67132e96539166c0657ed1f567c288f28000b9db6c506f8d8146ad8e8973e53c9466b50bb017ecf971a94b88f548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
a3c50f988f030b7cf2ef91614fecb20d

SHA1
16fea943f47ee33fe28572479ffa443688fabad0

SHA256
216eaadc8d6213acffcec4e7c2a7c6e217b9a01ac05db164506cfa83aaa5f557

SHA512
9694610128264eed23c5febc6b418e6cb955f58034dbba3d2914576e78a615eea1d7bee9dbc77291981b77714bb9051e5d2a886d2448a00662cb65bef0bc3be3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
31660de1eb84d1a1d6ae47987dab66dd

SHA1
41cfc596bf62ad572954442e77e95cafff0045d0

SHA256
c9dfe7323e68fcddcf9f20c28f3ae2302744d96d5de332c8356711ce0e7f38c5

SHA512
3a85bd98039cd5cb54df666a77998b4e86bf73b390d237a19c4a94e957b13f44d2ff8ea02a8a58c0ff5cfa48196cdb2eac7567276a334d6eb4554d40adea9154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bndf0rqu.23o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
771B

MD5
2511b545bbcd9d3e6dbbd129e12dab02

SHA1
529216a5201b72d9d45acf0801e1450398a31fe7

SHA256
e108a5ce9eb9872223d99522bd6736eac1b309d1e615a5f0e8d326e9f003a057

SHA512
820ad873d76d293f22ba719cf4ee36fc0a900d720772159d0da7c57de55783fc85b06c041e6212a77554d27be6f271d0ffae78dabd72b98d372cdf876792fb8f

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
71KB

MD5
ed3794861ddc34b4748ff8081e80cb2b

SHA1
e63cf084552f0c2803de0109e3d2fcd3102c4738

SHA256
6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

SHA512
df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03

Download Submit
memory/1872-348-0x000002480CA50000-0x000002480CA51000-memory.dmp

Filesize
4KB

Download
memory/1872-347-0x000002480CA50000-0x000002480CA51000-memory.dmp

Filesize
4KB

Download
memory/1872-346-0x000002480CA50000-0x000002480CA51000-memory.dmp

Filesize
4KB

Download
memory/1872-353-0x000002480CA50000-0x000002480CA51000-memory.dmp

Filesize
4KB

Download
memory/1872-354-0x000002480CA50000-0x000002480CA51000-memory.dmp

Filesize
4KB

Download
memory/1872-358-0x000002480CA50000-0x000002480CA51000-memory.dmp

Filesize
4KB

Download
memory/1872-357-0x000002480CA50000-0x000002480CA51000-memory.dmp

Filesize
4KB

Download
memory/1872-356-0x000002480CA50000-0x000002480CA51000-memory.dmp

Filesize
4KB

Download
memory/1872-355-0x000002480CA50000-0x000002480CA51000-memory.dmp

Filesize
4KB

Download
memory/2008-57-0x000001D7D3B30000-0x000001D7D3B31000-memory.dmp

Filesize
4KB

Download
memory/2008-59-0x000001D7D3B30000-0x000001D7D3B31000-memory.dmp

Filesize
4KB

Download
memory/2008-58-0x000001D7D3B30000-0x000001D7D3B31000-memory.dmp

Filesize
4KB

Download
memory/2008-69-0x000001D7D3B30000-0x000001D7D3B31000-memory.dmp

Filesize
4KB

Download
memory/2008-63-0x000001D7D3B30000-0x000001D7D3B31000-memory.dmp

Filesize
4KB

Download
memory/2008-64-0x000001D7D3B30000-0x000001D7D3B31000-memory.dmp

Filesize
4KB

Download
memory/2008-65-0x000001D7D3B30000-0x000001D7D3B31000-memory.dmp

Filesize
4KB

Download
memory/2008-66-0x000001D7D3B30000-0x000001D7D3B31000-memory.dmp

Filesize
4KB

Download
memory/2008-67-0x000001D7D3B30000-0x000001D7D3B31000-memory.dmp

Filesize
4KB

Download
memory/2008-68-0x000001D7D3B30000-0x000001D7D3B31000-memory.dmp

Filesize
4KB

Download
memory/2596-72-0x00007FFC1D5E3000-0x00007FFC1D5E5000-memory.dmp

Filesize
8KB

Download
memory/2596-74-0x00007FFC1D5E0000-0x00007FFC1E0A1000-memory.dmp

Filesize
10.8MB

Download
memory/2596-73-0x000000001B080000-0x000000001B08C000-memory.dmp

Filesize
48KB

Download
memory/2596-0-0x00007FFC1D5E3000-0x00007FFC1D5E5000-memory.dmp

Filesize
8KB

Download
memory/2596-2-0x00007FFC1D5E0000-0x00007FFC1E0A1000-memory.dmp

Filesize
10.8MB

Download
memory/2596-1-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/4876-18-0x00007FFC1D5E0000-0x00007FFC1E0A1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-15-0x00007FFC1D5E0000-0x00007FFC1E0A1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-14-0x00007FFC1D5E0000-0x00007FFC1E0A1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-13-0x0000022917640000-0x0000022917662000-memory.dmp

Filesize
136KB

Download
memory/4876-8-0x00007FFC1D5E0000-0x00007FFC1E0A1000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads