xworm | 1c4c8d4b80aadd685bf7344b326116a30265c0c1ca7cbaf40f3719b825a2740a

Analysis

max time kernel
249s
max time network
251s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 18:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ez.exe
Size

46.0MB
MD5

c09e00509d7efa941fd97f50ee999feb
SHA1

117361c0c4d9aee118c7cfa4b44af9c561f2d2f9
SHA256

1c4c8d4b80aadd685bf7344b326116a30265c0c1ca7cbaf40f3719b825a2740a
SHA512

3a4e50e44deb484d296579d5d40e9379cef1a4f62869dd2a753244849019c77837defc4bf3349b68b5f9b61b30ea29f4d5f7d087c0d1b321e06e5d93beb69ca1
SSDEEP

393216:9YXEXR3uzMK0GWSFqlV3lYWmnHGm8mtGDfdJlU8Jq8tA9KxFxCfV:9YXEXhuzMmF26WmnHGrO1

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

trip-thesaurus.gl.at.ply.gg:16715

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3316-1-0x0000000000110000-0x000000000012A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3644	powershell.exe
2800	powershell.exe
4028	powershell.exe
2980	powershell.exe
3140	powershell.exe
3988	powershell.exe
3968	powershell.exe
4740	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SecurityHealthSystray

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	ez.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	ez.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray

Executes dropped EXE 4 IoCs

pid	Process
2156	SecurityHealthSystray
4496	SecurityHealthSystray
3560	SecurityHealthSystray
4592	SecurityHealthSystray

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthSystray"	ez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthSystray"	SecurityHealthSystray

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
54	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "206"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1100	schtasks.exe
224	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3316	ez.exe
4592	SecurityHealthSystray

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3968	powershell.exe
3968	powershell.exe
4740	powershell.exe
4740	powershell.exe
3644	powershell.exe
3644	powershell.exe
2800	powershell.exe
2800	powershell.exe
3316	ez.exe
4028	powershell.exe
4028	powershell.exe
2980	powershell.exe
2980	powershell.exe
3140	powershell.exe
3140	powershell.exe
3988	powershell.exe
3988	powershell.exe
4592	SecurityHealthSystray

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3316	ez.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	3316	ez.exe
Token: SeDebugPrivilege	2156	SecurityHealthSystray
Token: SeDebugPrivilege	4496	SecurityHealthSystray
Token: SeDebugPrivilege	3560	SecurityHealthSystray
Token: SeDebugPrivilege	4592	SecurityHealthSystray
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	4592	SecurityHealthSystray
Token: SeShutdownPrivilege	4036	shutdown.exe
Token: SeRemoteShutdownPrivilege	4036	shutdown.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3316	ez.exe
4592	SecurityHealthSystray
1916	LogonUI.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 3968	3316	ez.exe	89
PID 3316 wrote to memory of 3968	3316	ez.exe	89
PID 3316 wrote to memory of 4740	3316	ez.exe	93
PID 3316 wrote to memory of 4740	3316	ez.exe	93
PID 3316 wrote to memory of 3644	3316	ez.exe	97
PID 3316 wrote to memory of 3644	3316	ez.exe	97
PID 3316 wrote to memory of 2800	3316	ez.exe	99
PID 3316 wrote to memory of 2800	3316	ez.exe	99
PID 3316 wrote to memory of 1100	3316	ez.exe	102
PID 3316 wrote to memory of 1100	3316	ez.exe	102
PID 4592 wrote to memory of 4028	4592	SecurityHealthSystray	123
PID 4592 wrote to memory of 4028	4592	SecurityHealthSystray	123
PID 4592 wrote to memory of 2980	4592	SecurityHealthSystray	125
PID 4592 wrote to memory of 2980	4592	SecurityHealthSystray	125
PID 4592 wrote to memory of 3140	4592	SecurityHealthSystray	127
PID 4592 wrote to memory of 3140	4592	SecurityHealthSystray	127
PID 4592 wrote to memory of 3988	4592	SecurityHealthSystray	129
PID 4592 wrote to memory of 3988	4592	SecurityHealthSystray	129
PID 4592 wrote to memory of 224	4592	SecurityHealthSystray	131
PID 4592 wrote to memory of 224	4592	SecurityHealthSystray	131
PID 4592 wrote to memory of 4036	4592	SecurityHealthSystray	133
PID 4592 wrote to memory of 4036	4592	SecurityHealthSystray	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ez.exe
"C:\Users\Admin\AppData\Local\Temp\ez.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ez.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ez.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1100

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:224
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38d3055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecurityHealthSystray.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fa8d1461e4feb2c39654e3a555a027f8

SHA1
0ca46b8961ceba8f9da31de5ed2408643fc89141

SHA256
7e26e4f0ef3a7d2904818a691429789c4781029ff4aab697c3b7c9a4287d661f

SHA512
e486b8f029c7eec60b6b2b5603390330afb1ddf627cc01c511808c47e68676b4c429b9f75fd4e16e48b496dccfe8cc8ec4a35825e1e889e66571acb6c03e0869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
380007fbdf9fef355db2afd71fce9cd1

SHA1
e98802ef10fac8ef96a3210930784c317ca76fa0

SHA256
6353a11014d2c1495ac7a5efef195d06d8e8b30a163c437263361deb5a28de03

SHA512
9790c6b4c16ed4f4e6cddf492d01a6b4963e20bde6ddf40017db20ffc672b0cfaea2ad6aebcb51e8e459682974be0d024b35546aad840051a1e9fe2d3e565bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd2d04a3823d3e21fd5835181caebcaf

SHA1
2507b0e1b5d177811f5df27fc462ca35c194d197

SHA256
29c3c7a21a1b670ace9b6de23ccdca331305c8aa1e806ad2f87ebf9e35b95e30

SHA512
3556cf6c246cc0018d55d4de8b949e5b3898ce09612418cab8527b40b1711b51930b03096271e88876a75a2d59a102efd9720ca20de7dc8fae2bba77e4819114

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fm4qfuyb.iql.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk

Filesize
819B

MD5
868ad29a6ba6185a314e6a0e0df836d6

SHA1
d25bf87ee2b2e4d463bb15547f355a4984c3bdf8

SHA256
f82b7b578dde2e9aa832ae9e3bad5a4e1d5e0188828f18fd695173c1248d70f8

SHA512
9a9123ebe34819da506ca30c38791a0154351f1fccb0b57ab34e9413e73e1db6f2f2c1d5976b624de1201366d59c13d923b4bbea75283b0e04890189716cc6cc

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray

Filesize
46.0MB

MD5
c09e00509d7efa941fd97f50ee999feb

SHA1
117361c0c4d9aee118c7cfa4b44af9c561f2d2f9

SHA256
1c4c8d4b80aadd685bf7344b326116a30265c0c1ca7cbaf40f3719b825a2740a

SHA512
3a4e50e44deb484d296579d5d40e9379cef1a4f62869dd2a753244849019c77837defc4bf3349b68b5f9b61b30ea29f4d5f7d087c0d1b321e06e5d93beb69ca1

Download Submit
memory/3316-2-0x00007FFDF70D0000-0x00007FFDF7B91000-memory.dmp

Filesize
10.8MB

Download
memory/3316-4-0x00007FFDF70D0000-0x00007FFDF7B91000-memory.dmp

Filesize
10.8MB

Download
memory/3316-3-0x00007FFDF70D3000-0x00007FFDF70D5000-memory.dmp

Filesize
8KB

Download
memory/3316-67-0x00007FFDF70D0000-0x00007FFDF7B91000-memory.dmp

Filesize
10.8MB

Download
memory/3316-0-0x00007FFDF70D3000-0x00007FFDF70D5000-memory.dmp

Filesize
8KB

Download
memory/3316-1-0x0000000000110000-0x000000000012A000-memory.dmp

Filesize
104KB

Download
memory/3968-5-0x00007FFDF70D0000-0x00007FFDF7B91000-memory.dmp

Filesize
10.8MB

Download
memory/3968-6-0x00007FFDF70D0000-0x00007FFDF7B91000-memory.dmp

Filesize
10.8MB

Download
memory/3968-20-0x00007FFDF70D0000-0x00007FFDF7B91000-memory.dmp

Filesize
10.8MB

Download
memory/3968-7-0x00007FFDF70D0000-0x00007FFDF7B91000-memory.dmp

Filesize
10.8MB

Download
memory/3968-17-0x0000029DFFE20000-0x0000029DFFE42000-memory.dmp

Filesize
136KB

Download
memory/4592-115-0x000000001D0E0000-0x000000001D0EC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads