Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30-08-2024 18:48
General
-
Target
Solara.exe
-
Size
1005KB
-
MD5
d1a6835f7934684efb8df6b6f2d8a9df
-
SHA1
56f4e81d4663181f139e5b7b165e41611cbcc472
-
SHA256
2b0521e21f41e110682b1871824451a9826a4ff2f5691d4e25186b36b0294146
-
SHA512
c9e0557c3251c7a5d805c6e4047cee99949dab9a702e4e076e4ec0d9f0969b0210f4ca29c36ea7b4e15c43a70c7c076c0718df1b72bac057b2af7f3605f5908d
-
SSDEEP
12288:xE5dY26i2vTGY1Dg6x7L1uq2/OBPQu43D8fPVle8IoaBcHl8ANTSwAlZw:x2r2yAPC8eRBcHl8gTSHXw
Score
10/10
Malware Config
Extracted
Family
44caliber
C2
https://discord.com/api/webhooks/1244807698026070016/Tfzk-_b80yPKERHasgSCWK64Pdjux3P8VTHXs1cSWpKcLSUecUTjKHtLyEEhA8jsiCW-
Extracted
Family
xworm
C2
grand-herbal.gl.at.ply.gg:53590
Attributes
-
Install_directory
%ProgramData%
-
install_file
Windows32.exe
Signatures
-
44Caliber
An open source infostealer written in C#.
-
Detect Xworm Payload 3 IoCs
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 42 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 43 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha — êîïèÿ.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha — êîïèÿ.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\CheatHoursEatsArtTool.exe"C:\Users\Admin\AppData\Local\Temp\CheatHoursEatsArtTool.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CheatHoursEatsArtTool.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CheatHoursEatsArtTool.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows32.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows32.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "USER OOBE BROKER" /tr "C:\Windows\Sub\xdwdClient.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "USER OOBE BROKER" /tr "C:\Windows\Sub\xdwdClient.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows32" /tr "C:\Windows\Sub\xdwdWatchDog.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Windows32" /tr "C:\Windows\Sub\xdwdWatchDog.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XDWDidinaxui" /tr "C:\Windows\Sub\xdwdClient.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d79d1bd60b7247fd284d8602d6e69c14
SHA1597f223c49c70fe13d0b4e5440dd3b9a998c89e0
SHA25645903c738ea99da02de9bc04177db4e702574ff7b8b448016f107b769079e553
SHA512a3f38b9ac86f8c7a93129502bc4f08aee02eaee70f41fb602c34a1c76562b5cca314c15727e01a73643cf17f5337a7b8f98da379860d139aabbd68e485251b09
-
Filesize
944B
MD55cfe303e798d1cc6c1dab341e7265c15
SHA1cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
68KB
MD5c7b96361f8ba66866dc0163b3e9c5b95
SHA1f3281a8ae74fe88a204c4ccc06b15f9aa8883b81
SHA25635c7b404d93b655e448ce97ea69022e79f2c61cda09810323405f7050b11f42a
SHA512d9f49b8a8d8e92e7c6b6cd291f0eb53d81a8708711609f3fd2efdae8e378b4356003c21081d980f34b4332c0e8a04bd38783d1ef966dd8232f386ab748aef404
-
Filesize
622KB
MD50c60ae033287897dee241499959d6f9b
SHA11aa25223f25e9bde0a7972e00de2e4156d9a2644
SHA256d89ffad749623a054365e9ed891a4518baa785b639e334e6064c7a2d510e5705
SHA512cf0e2e22a3126c37a78a0037508a89d5365c50959237a426ffe49b85077e15642fe9b51dc4b63efab9d2c7958d57da5dd6467b2c548a26321f12104ca71766f5
-
Filesize
303KB
MD50411aedeb5cb378230fc4736877290ff
SHA1cbfd99434251f2aceb5e5a9f998a4a170878169a
SHA256abf52b82f58ff179a83ab0c0dd6762a5512a7d25c126fccb58f8b4628c661b10
SHA51271c671f4c043aca897b2041ce3709a59cbc2900096d5625081bb029f070f7129d309d8e38ee6cd11b7268e6fbf9a444ee600177ac72c962d849932d9234ff64e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
10.8MB
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
328KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
1.0MB
-
Filesize
640KB