Overview

overview

10

Static

static

10

XClientRAW.exe

windows7-x64

10

XClientRAW.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClientRAW.exe

  • Size

    75KB

  • MD5

    8901222e32955d6a0b3726cd5df36d7d

  • SHA1

    b7bc55849ec918a7cc2b3d95c1f3bcbeef3bd940

  • SHA256

    93499d87ab6ac4928d012b452b28433064cd554a5b11f74a615811def521b8aa

  • SHA512

    152a18e989ef822f65631eb273deabc19affcc377aa64e18cec51ca1e6869e940c003534deb7b047e22e7d43e9993b295ff229255d6a28ed2ac514a31f36cf7c

  • SSDEEP

    1536:RM5at9jdDNbjPXtbgoG0anpMaf6/wQ1wO/MxK/6:RMyHp1bgR01OawO/Mo6

Score
10/10
dcratxwormdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7414557379:AAHJMIrSP_hoR0jelLf8igel3SZxGY860qU/sendMessage?chat_id=2076906822

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 4 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 12 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClientRAW.exe
    "C:\Users\Admin\AppData\Local\Temp\XClientRAW.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClientRAW.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2328
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClientRAW.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3464
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2292
    • C:\Users\Admin\AppData\Local\Temp\9DCAKCJLBPS8XR4.exe
      "C:\Users\Admin\AppData\Local\Temp\9DCAKCJLBPS8XR4.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "9DCAKCJLBPS8XR4" /tr "C:\Users\Admin\AppData\Roaming\9DCAKCJLBPS8XR4.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3960
    • C:\Users\Admin\AppData\Local\Temp\9DZ78GOY98L40N9.exe
      "C:\Users\Admin\AppData\Local\Temp\9DZ78GOY98L40N9.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3856
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5d1cassx\5d1cassx.cmdline"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3556
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA35.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB5558C4C1AB141D3BCED714C9B8EC97D.TMP"
                7⤵
                  PID:4412
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aprkymp0\aprkymp0.cmdline"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4756
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB00.tmp" "c:\Users\Admin\AppData\Roaming\CSC3D7B655D6784EFF80A018C1E775D0DB.TMP"
                  7⤵
                    PID:4196
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ishxjh4v\ishxjh4v.cmdline"
                  6⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:1348
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABAC.tmp" "c:\Windows\System32\CSC33F91DE76C794D05B240B875A927A76.TMP"
                    7⤵
                      PID:1644
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\MoUsoCoreWorker.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:868
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\WmiPrvSE.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3148
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\smss.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2220
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive\sihost.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4280
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\XClientRAW.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3648
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1892
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MxiXR6xTBR.bat"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4640
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      7⤵
                        PID:2616
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        7⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:4292
                      • C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\MoUsoCoreWorker.exe
                        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\MoUsoCoreWorker.exe"
                        7⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1280
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            C:\Users\Admin\AppData\Local\Temp\svchost.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2328
          • C:\Users\Admin\AppData\Roaming\9DCAKCJLBPS8XR4.exe
            C:\Users\Admin\AppData\Roaming\9DCAKCJLBPS8XR4.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3468
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\MoUsoCoreWorker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2568
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\MoUsoCoreWorker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3784
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\MoUsoCoreWorker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4416
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\WmiPrvSE.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Music\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1852
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2600
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4472
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\OneDrive\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2612
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1536
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\OneDrive\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2028
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "XClientRAWX" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\XClientRAW.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "XClientRAW" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\XClientRAW.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1116
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "XClientRAWX" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\XClientRAW.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4020
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 7 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1636
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 12 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:872
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            C:\Users\Admin\AppData\Local\Temp\svchost.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3944
            • C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\MoUsoCoreWorker.exe
              "C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\MoUsoCoreWorker.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1412
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1164
          • C:\Users\Admin\AppData\Roaming\9DCAKCJLBPS8XR4.exe
            C:\Users\Admin\AppData\Roaming\9DCAKCJLBPS8XR4.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2956
            • C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\MoUsoCoreWorker.exe
              "C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\MoUsoCoreWorker.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4120
            • C:\Users\Admin\AppData\Roaming\9DCAKCJLBPS8XR4.exe.exe
              "C:\Users\Admin\AppData\Roaming\9DCAKCJLBPS8XR4.exe.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3836

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          2
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
            Filesize

            220B

            MD5

            47085bdd4e3087465355c9bb9bbc6005

            SHA1

            bf0c5b11c20beca45cc9d4298f2a11a16c793a61

            SHA256

            80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

            SHA512

            e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

            Download Submit

          • C:\HypercomponentCommon\cemEzm0xYx1.bat
            Filesize

            105B

            MD5

            5ee2935a1949f69f67601f7375b3e8a3

            SHA1

            6a3229f18db384e57435bd3308298da56aa8c404

            SHA256

            c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

            SHA512

            9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

            Download Submit

          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            Filesize

            1.9MB

            MD5

            7be5cea1c84ad0b2a6d2e5b6292c8d80

            SHA1

            631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

            SHA256

            6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

            SHA512

            ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MoUsoCoreWorker.exe.log
            Filesize

            847B

            MD5

            66a0a4aa01208ed3d53a5e131a8d030a

            SHA1

            ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

            SHA256

            f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

            SHA512

            626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
            Filesize

            654B

            MD5

            2ff39f6c7249774be85fd60a8f9a245e

            SHA1

            684ff36b31aedc1e587c8496c02722c6698c1c4e

            SHA256

            e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

            SHA512

            1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            ab24765a7393bd3cef8acbf0a617fba2

            SHA1

            ef2c12a457a11f6204344afed09a39f4d3e803cb

            SHA256

            3a03c7efabe880ae9f283b1cf373d3f09d07ab619028319b3599b643ae140d47

            SHA512

            e16306674a8c89f54467d7fba3857e1e0bdf3729f5de9f4451520cfbddfa535c4d653dde6efcac38efd693e9b3e4965fcd08c559e720c372feca65050b46e355

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e25058a5d8ac6b42d8c7c9883c598303

            SHA1

            bd9e6194a36a959772fc020f905244900ffc3d57

            SHA256

            9f6fe2203df58ba90b512b436fd74f5eeb4f39f4f9f54a41e882fc54e5f35d51

            SHA512

            0146f2d1298acf189005217784e952d6e99bf7c8bf24ae9e9af1a2ca3d881dca39f19f3ecd06c7d0ad919bc929edaf6e97e0ab2d7f71733b9422527c594ea0c5

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            9006afb2f47b3bb7d3669c647651e29c

            SHA1

            cdc0d7654be8e516df2c36accd9b52eac1f00ffd

            SHA256

            a025443b35555d64473b1ef01194239e808c49b47c924b99b942514036901302

            SHA512

            f2e72bbecfa823415bd0be7a091b1272e10e11059a71baf115780aa7ce3e694d114f6642de161ccba24e2182765b8188cc6dbb804fd07e318af9e1917549841c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            3007e3802489bf130f1133c9b0e99381

            SHA1

            b7f208ba906b15aff81665e2fa9a19f79aba5739

            SHA256

            38cdc46f1fd4bc045d3367df0ac4c7387b82694c9956cca951021f00f3954cec

            SHA512

            0f40c84ac17ca7f5409f09629acb91888290ca0dce2ff50675676287143f8b27f1d50caa56a64db7946e308b4de0b9d0826dda2573c07a02e1fdbfbcccb19713

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            cadef9abd087803c630df65264a6c81c

            SHA1

            babbf3636c347c8727c35f3eef2ee643dbcc4bd2

            SHA256

            cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

            SHA512

            7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e7cebf3b7ef4a6001988e0da1e82cc1d

            SHA1

            c4345e45710589200d39b79d407fc370be963296

            SHA256

            1bcc9d14f60f45002c38384b6765a0d9462ae90abf7c954d24a997f0167e325d

            SHA512

            d3bb57029ac793c37be4f673c1d7d67202235b72d12e5e42f7dc46e82f0e4cf179b9048a930bb9f076a82686c5014b337245928c04873448bfc55e7769cffa31

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            9f42c517cfa4df59cc9ce69cb44518a8

            SHA1

            1650010403502ef82ad2622268c50adb85e42973

            SHA256

            91bfeda38235a016be22a68fb6705950185f03b9c562b9053178755e5c36a58f

            SHA512

            19b6e1e93dce218d53953e664f54c6a139cb60837295fb49f620e698aaadb4d34c1243484ccd3c6cb0ed2619908068e6b190847cdf27786e249bf475076888cd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9DCAKCJLBPS8XR4.exe
            Filesize

            185KB

            MD5

            e0c8976957ffdc4fe5555adbe8cb0d0c

            SHA1

            226a764bacfa17b92131993aa85fe63f1dbf347c

            SHA256

            b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

            SHA512

            3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9DZ78GOY98L40N9.exe
            Filesize

            2.2MB

            MD5

            05d87a4a162784fd5256f4118aff32af

            SHA1

            484ed03930ed6a60866b6f909b37ef0d852dbefd

            SHA256

            7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

            SHA512

            3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MxiXR6xTBR.bat
            Filesize

            217B

            MD5

            4a4969062233ffffc7c0b80c2d7f8234

            SHA1

            1c3c5d940af5bfe3edc7ff4d829226f94bdbff47

            SHA256

            5154c1735d95d2ba20caba067832ce2b879cc4fb1617ae5438715807a5e9e2c7

            SHA512

            8b59de02b34dfaffc536ae5af96f7323f54b16f923993b85fce345f9c6dff13ba0cb56e5383fbabe77c9712ab085070aaf8d766834e994ea6773ac5214e8060a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RESAA35.tmp
            Filesize

            1KB

            MD5

            1dcf1c1b39302d65fba071ebadcd233c

            SHA1

            752d56acefc8fbd685a50f12d743257c36dff8c3

            SHA256

            cc7596d3bbb927bf3c378b1a2d749217555756679dbe8ddf21690c64494493e5

            SHA512

            3006bd5e1b8f76b7e3b4f49ea0deeeaf028022278a5ae5c0961f6d9c937027c6323898700d75b7d20057fcaeb4a6fe0200a3ba3d790182fa564013f8756e5531

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RESAB00.tmp
            Filesize

            1KB

            MD5

            7ab8fe58717431bc3cf74d3933b0b029

            SHA1

            038418cd0eb49642535f9cd04b5e13638f25165f

            SHA256

            cf91982655884038b21250db306ec6e080d1bdfe4370706d75d2e4e3b9c2eac4

            SHA512

            2a5a5a3162e2c4abaa561f477b072022ccce32e838e032f59a7b0db9c4c00a03b9cfb5842da705e4e480d3b0436f228f2d34b63d429d15dcbf4a59a27cc777d0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RESABAC.tmp
            Filesize

            1KB

            MD5

            4496660afb9be5cfc5d93a7de7e6b2a9

            SHA1

            ce6cdd605b189606e1d33a054dd671c52ff808ec

            SHA256

            dc6f307169061a88a439274c4184692fe888746f1e1c4966612b80e53ef1b892

            SHA512

            56ee93b74e2faf55fb1e3fda1bb0ad8eff030c2067ac632d6dbb1e5dc523a6d9f08017b8fb3ca6f3b5038e7478b8601e7335ab7249468fc1e0b6542e4b81f1a3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrwshiqc.p31.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            Filesize

            4KB

            MD5

            24d2f00a7cbf89d7ed6785f5edb76737

            SHA1

            eac799a210f65c8d1c5a96cf1cfbf97b99a7fb43

            SHA256

            84fe69cb617577215b1f9ecdab81c41e0d8b00d71a8d156816005a7d9cac1340

            SHA512

            d41ca1839c46d6df270b5ed19f200a9f1f693ab07889d17bebdea4e31f6ad46908ea0da291b06ecda2a4b3d61559a68d32b81f821002ed7bb8dad9a5cc0c6f8c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            Filesize

            75KB

            MD5

            8901222e32955d6a0b3726cd5df36d7d

            SHA1

            b7bc55849ec918a7cc2b3d95c1f3bcbeef3bd940

            SHA256

            93499d87ab6ac4928d012b452b28433064cd554a5b11f74a615811def521b8aa

            SHA512

            152a18e989ef822f65631eb273deabc19affcc377aa64e18cec51ca1e6869e940c003534deb7b047e22e7d43e9993b295ff229255d6a28ed2ac514a31f36cf7c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\9DCAKCJLBPS8XR4.exe
            Filesize

            5KB

            MD5

            0021ad975e45fac6f282f78444772346

            SHA1

            dd4a92ede037578c4d91797e1ac53371a4da13e2

            SHA256

            05999e42d6ad3e1c58e82836c20faef0f4c44a7cd46de68c3b8c38fce8443b9f

            SHA512

            772560a7d113a1d96e70973c7fc9b016bc409948216e5494afaf57f17b29c8a31fe9b147e1fa107a1e5a588f6c0e129db4ba6a1631530d5571f25b4dc63f4ff7

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\5d1cassx\5d1cassx.0.cs
            Filesize

            436B

            MD5

            be71c8ed18a21338350d6bd09d060ade

            SHA1

            6d42ee9139d53e88f6284524e80b265580b4a20d

            SHA256

            f80f8df22259ce16f3c733140db81f9a5e8b5623d07476346de59e81ab3951af

            SHA512

            4fb278aad445abb40f614dd1f08733ab8ce15c90630cec58f6a2cd0d26245e078e177062685a385d4034fb00c8d9e889c469e6bbe5d31fbe6427461ce8bbd2f2

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\5d1cassx\5d1cassx.cmdline
            Filesize

            250B

            MD5

            c03f33e5841fc80889d70ef015c4977f

            SHA1

            66d102530ea84cd878351ee5f6e271b214117d39

            SHA256

            f878cf9528bec6dc90dbb5acc4bc2aedbb759a2a444ad189c153e32d4bef4da0

            SHA512

            af70844f8ed04308d38c59f2d118e8949b380f9727750044b2c225454cf74c30f2a842dd254a2a78db1255879ace5f7c580231ccd759ceb34f462b2eb3402da7

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\CSCB5558C4C1AB141D3BCED714C9B8EC97D.TMP
            Filesize

            1KB

            MD5

            b10290e193d94a5e3c95660f0626a397

            SHA1

            7b9de1fd7a43f6f506e5fc3426836b8c52d0d711

            SHA256

            75c9e1766bfb99754b6a00d37ef93488ab216b5ac48984ed7d9d2076a7056fd2

            SHA512

            6ae4201552a499eaa726416b29230f48d94ac7f40ff038165bf8582626bbefe601ef6c051ad97d9156dc4b9b55fd22081db61bcd013916136340c5f1324e4bb5

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\aprkymp0\aprkymp0.0.cs
            Filesize

            441B

            MD5

            24e81b1b76f7f48f8d0bbf7d2960eaac

            SHA1

            ca816beed9190cdb8e9a3fdb693ebad3ce11681e

            SHA256

            ac541e473ce8d0b2ec27507979875b9672fc5e793243601b0fe22fd172f0e9f7

            SHA512

            59a16fb8ab1077c249d3f3c9f60df083ec02140de574c54313f610e3b342c077add300836ebfbdc539a56a13f556054fa89c6a2e48450a906cce995d3906265a

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\aprkymp0\aprkymp0.cmdline
            Filesize

            255B

            MD5

            974faf8cc1ccfd5f5d517f0881fc4784

            SHA1

            e9d4812c9313f530abbb4dcd91436009a02aa645

            SHA256

            ed738cf059d47287032eafdafd111fb5f18e789940f8e7c7e0845795bf777667

            SHA512

            1be61e6e7dc7fb0f286ebdb63fb72a956ab37ee54d3217b3527c9036967700e466cdca6777e4ebe1e0db2aa2a728749b05b62b5798cb0b1ecce64cf09b4d73a2

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\ishxjh4v\ishxjh4v.0.cs
            Filesize

            421B

            MD5

            30f6001578cd8637ee5abb391dee3c1c

            SHA1

            fb80953cadac0265c0d21be830cf6d98a5fd49ee

            SHA256

            1e41cd21615b76ea26d73f79bbd1a74c85f254ba7d70e121099605625a10a22e

            SHA512

            b7407dfdbae60f7af2153a5c6cfb5f63b255db1eb3513e25c505c500da7d41cb23b640bce464ed50245e3f9a5e1adfdb22c9cd7fe087b3b8b9660326e5131e57

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\ishxjh4v\ishxjh4v.cmdline
            Filesize

            235B

            MD5

            93b8bf68dfa22820a581b57c4ad6dc32

            SHA1

            0492877b80731c85f0309ccbcb9a8722229556f7

            SHA256

            2f6c840cad4f52562aed8388b6b956d0dc335cc2856975e3925e32d6235635aa

            SHA512

            ba18ef7a548f3c452a00f84d15b95cfe1f987c514b7c8f1865d69178906af1566186435ec168134f8bb9ab9c428a0a2c672484bfe1fdb6dfdeb4ca2304139d6f

            Download Submit

          • \??\c:\Users\Admin\AppData\Roaming\CSC3D7B655D6784EFF80A018C1E775D0DB.TMP
            Filesize

            1KB

            MD5

            89337a3ee5aca1253565add97b5c2d44

            SHA1

            4c33f65968936742e46f1bf474390bcd6873f4d8

            SHA256

            5246427be1717116141c77dc9d0b9a68a622ba7982924a9c7866cbab7b5ebcc6

            SHA512

            b600c02c16da8cdea093f18c170ba156c66115094f4d649499ed82804cd3f3aab80728b3d9472933ff37c9bb3b3283e36895a035a808784c51ce56795337442b

            Download Submit

          • \??\c:\Windows\System32\CSC33F91DE76C794D05B240B875A927A76.TMP
            Filesize

            1KB

            MD5

            634e281a00b7b9f516c3048badfa1530

            SHA1

            af6369715ce2fe9b99609e470d4f66698880a35a

            SHA256

            0d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8

            SHA512

            1cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b

            Download Submit

          • memory/1340-53-0x00007FFE0B013000-0x00007FFE0B015000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1340-59-0x00000000010B0000-0x00000000010BC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1340-1-0x00000000008D0000-0x00000000008EA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1340-2-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1340-0-0x00007FFE0B013000-0x00007FFE0B015000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1340-58-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2328-3-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2328-15-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2328-13-0x0000016B753F0000-0x0000016B75412000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2328-14-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2328-18-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2956-281-0x0000000000020000-0x0000000000028000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3280-71-0x0000000000610000-0x0000000000644000-memory.dmp

            Filesize

            208KB

            Download

          • memory/3856-109-0x0000000003320000-0x000000000333C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/3856-110-0x000000001C1E0000-0x000000001C230000-memory.dmp

            Filesize

            320KB

            Download

          • memory/3856-101-0x0000000000FF0000-0x00000000011D6000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/3856-116-0x0000000001A20000-0x0000000001A2C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3856-112-0x0000000003340000-0x0000000003358000-memory.dmp

            Filesize

            96KB

            Download

          • memory/3856-107-0x00000000019B0000-0x00000000019BE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3856-114-0x0000000001A10000-0x0000000001A1E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3944-277-0x0000000000C30000-0x0000000000C38000-memory.dmp

            Filesize

            32KB

            Download