Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/01/2025, 07:02
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win11-20241007-en
General
-
Target
XClient.exe
-
Size
33KB
-
MD5
843daa234f9b31c8f22c433971b0b086
-
SHA1
3c5f573f61e89c1a113fe907e5831e4be5dc5a4c
-
SHA256
f965e1f1dcbf5efaa48c4e4d14691e6d378d9caec1352a85ee06d0ebfc43eca7
-
SHA512
0da56ef71bebb09550cb666b6aa72d0f36e7aff12212da8fd523dd0450a211226d8106c136951d483813a76455b6ae12f711e6ea6513b3ff63c304b5d93fbfd0
-
SSDEEP
384:nl+PkjD9+E5MFs7iui8L7zKM42pfL3iB7OxVqWqKRApkFXBLTsOZwpGN2v99Ikun:l+CD93W03v42JiB70lVF49jXOjhwbi
Malware Config
Extracted
xworm
5.0
general-hebrew.gl.at.ply.gg:24614
cBWzGpKKIzANTO2p
-
install_file
svchost.exe
Extracted
xworm
3.0
plus-loves.gl.at.ply.gg:59327
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/1072-207-0x000000001BBF0000-0x000000001BBFE000-memory.dmp disable_win_def -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/1072-1-0x0000000000580000-0x000000000058E000-memory.dmp family_xworm behavioral1/files/0x001c00000002aae3-9.dat family_xworm behavioral1/memory/4356-17-0x0000000000240000-0x0000000000274000-memory.dmp family_xworm -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\dllhost.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\dllhost.exe\", \"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\"" hyperSurrogateagentCrt.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection powershell.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3100 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4396 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 436 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 4816 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 4816 schtasks.exe 78 -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1072 created 688 1072 XClient.exe 7 -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2144 powershell.exe 1736 powershell.exe 2420 powershell.exe 1204 powershell.exe 1616 powershell.exe 2072 powershell.exe 1764 powershell.exe -
Downloads MZ/PE file
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XYR269UW2X56RGZ.lnk XYR269UW2X56RGZ.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XYR269UW2X56RGZ.lnk XYR269UW2X56RGZ.exe -
Executes dropped EXE 13 IoCs
pid Process 4356 XYR269UW2X56RGZ.exe 1832 LRZDBCUY9IYTYZA.exe 5076 AJLF0KZUL5VL5NH.exe 644 hyperSurrogateagentCrt.exe 4396 System.exe 2972 TOBT66RBMHPKUAF.exe 4088 hyperSurrogateagentCrt.exe 328 XYR269UW2X56RGZ.exe 2060 XYR269UW2X56RGZ.exe.exe 4136 dllhost.exe 1636 XYR269UW2X56RGZ.exe 4768 XYR269UW2X56RGZ.exe.exe 1136 dllhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperSurrogateagentCrt = "\"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\XYR269UW2X56RGZ = "C:\\Users\\Admin\\AppData\\Roaming\\XYR269UW2X56RGZ.exe" XYR269UW2X56RGZ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyperSurrogateagentCrt = "\"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Mozilla Firefox\\dllhost.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Mozilla Firefox\\dllhost.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\"" hyperSurrogateagentCrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\"" hyperSurrogateagentCrt.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 raw.githubusercontent.com 7 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCA3B127F226C34C09975C583660B9125C.TMP csc.exe File created \??\c:\Windows\System32\qq0pbq.exe csc.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\dllhost.exe hyperSurrogateagentCrt.exe File created C:\Program Files\Mozilla Firefox\5940a34987c991 hyperSurrogateagentCrt.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe hyperSurrogateagentCrt.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\cf20f2cf4406ff hyperSurrogateagentCrt.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe hyperSurrogateagentCrt.exe File opened for modification C:\Program Files\Mozilla Firefox\dllhost.exe hyperSurrogateagentCrt.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe hyperSurrogateagentCrt.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0 hyperSurrogateagentCrt.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\5940a34987c991 hyperSurrogateagentCrt.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\6cb0b6c459d5d3 hyperSurrogateagentCrt.exe File created C:\Windows\OCR\en-us\fontdrvhost.exe hyperSurrogateagentCrt.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe hyperSurrogateagentCrt.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4588 sc.exe 3620 sc.exe 2432 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LRZDBCUY9IYTYZA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TOBT66RBMHPKUAF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings LRZDBCUY9IYTYZA.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings hyperSurrogateagentCrt.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings TOBT66RBMHPKUAF.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2244 schtasks.exe 1516 schtasks.exe 816 schtasks.exe 5084 schtasks.exe 2876 schtasks.exe 4304 schtasks.exe 4724 schtasks.exe 2872 schtasks.exe 3100 schtasks.exe 2408 schtasks.exe 436 schtasks.exe 2836 schtasks.exe 3024 schtasks.exe 4488 schtasks.exe 1012 schtasks.exe 4396 schtasks.exe 784 schtasks.exe 1416 schtasks.exe 4388 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe 644 hyperSurrogateagentCrt.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 1072 XClient.exe Token: SeDebugPrivilege 4356 XYR269UW2X56RGZ.exe Token: SeDebugPrivilege 4356 XYR269UW2X56RGZ.exe Token: SeDebugPrivilege 5076 AJLF0KZUL5VL5NH.exe Token: SeDebugPrivilege 644 hyperSurrogateagentCrt.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 1204 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 4396 System.exe Token: SeDebugPrivilege 4088 hyperSurrogateagentCrt.exe Token: SeDebugPrivilege 2060 XYR269UW2X56RGZ.exe.exe Token: SeDebugPrivilege 4136 dllhost.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 2848 whoami.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 4108 whoami.exe Token: SeDebugPrivilege 4108 whoami.exe Token: SeDebugPrivilege 4108 whoami.exe Token: SeDebugPrivilege 4108 whoami.exe Token: SeDebugPrivilege 4108 whoami.exe Token: SeDebugPrivilege 4108 whoami.exe Token: SeDebugPrivilege 4108 whoami.exe Token: SeDebugPrivilege 4108 whoami.exe Token: SeDebugPrivilege 4768 XYR269UW2X56RGZ.exe.exe Token: SeDebugPrivilege 1136 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1072 wrote to memory of 4356 1072 XClient.exe 79 PID 1072 wrote to memory of 4356 1072 XClient.exe 79 PID 4356 wrote to memory of 1012 4356 XYR269UW2X56RGZ.exe 80 PID 4356 wrote to memory of 1012 4356 XYR269UW2X56RGZ.exe 80 PID 1072 wrote to memory of 1832 1072 XClient.exe 82 PID 1072 wrote to memory of 1832 1072 XClient.exe 82 PID 1072 wrote to memory of 1832 1072 XClient.exe 82 PID 1832 wrote to memory of 892 1832 LRZDBCUY9IYTYZA.exe 83 PID 1832 wrote to memory of 892 1832 LRZDBCUY9IYTYZA.exe 83 PID 1832 wrote to memory of 892 1832 LRZDBCUY9IYTYZA.exe 83 PID 1072 wrote to memory of 5076 1072 XClient.exe 84 PID 1072 wrote to memory of 5076 1072 XClient.exe 84 PID 892 wrote to memory of 4268 892 WScript.exe 85 PID 892 wrote to memory of 4268 892 WScript.exe 85 PID 892 wrote to memory of 4268 892 WScript.exe 85 PID 4268 wrote to memory of 644 4268 cmd.exe 87 PID 4268 wrote to memory of 644 4268 cmd.exe 87 PID 644 wrote to memory of 4708 644 hyperSurrogateagentCrt.exe 91 PID 644 wrote to memory of 4708 644 hyperSurrogateagentCrt.exe 91 PID 4708 wrote to memory of 1892 4708 csc.exe 93 PID 4708 wrote to memory of 1892 4708 csc.exe 93 PID 644 wrote to memory of 3284 644 hyperSurrogateagentCrt.exe 94 PID 644 wrote to memory of 3284 644 hyperSurrogateagentCrt.exe 94 PID 3284 wrote to memory of 4760 3284 csc.exe 96 PID 3284 wrote to memory of 4760 3284 csc.exe 96 PID 644 wrote to memory of 2420 644 hyperSurrogateagentCrt.exe 112 PID 644 wrote to memory of 2420 644 hyperSurrogateagentCrt.exe 112 PID 644 wrote to memory of 1736 644 hyperSurrogateagentCrt.exe 113 PID 644 wrote to memory of 1736 644 hyperSurrogateagentCrt.exe 113 PID 644 wrote to memory of 2144 644 hyperSurrogateagentCrt.exe 114 PID 644 wrote to memory of 2144 644 hyperSurrogateagentCrt.exe 114 PID 644 wrote to memory of 1204 644 hyperSurrogateagentCrt.exe 115 PID 644 wrote to memory of 1204 644 hyperSurrogateagentCrt.exe 115 PID 644 wrote to memory of 1616 644 hyperSurrogateagentCrt.exe 116 PID 644 wrote to memory of 1616 644 hyperSurrogateagentCrt.exe 116 PID 644 wrote to memory of 2072 644 hyperSurrogateagentCrt.exe 117 PID 644 wrote to memory of 2072 644 hyperSurrogateagentCrt.exe 117 PID 644 wrote to memory of 2036 644 hyperSurrogateagentCrt.exe 124 PID 644 wrote to memory of 2036 644 hyperSurrogateagentCrt.exe 124 PID 2036 wrote to memory of 4588 2036 cmd.exe 126 PID 2036 wrote to memory of 4588 2036 cmd.exe 126 PID 2036 wrote to memory of 4916 2036 cmd.exe 127 PID 2036 wrote to memory of 4916 2036 cmd.exe 127 PID 2036 wrote to memory of 4396 2036 cmd.exe 128 PID 2036 wrote to memory of 4396 2036 cmd.exe 128 PID 1072 wrote to memory of 2972 1072 XClient.exe 129 PID 1072 wrote to memory of 2972 1072 XClient.exe 129 PID 1072 wrote to memory of 2972 1072 XClient.exe 129 PID 2972 wrote to memory of 3016 2972 TOBT66RBMHPKUAF.exe 130 PID 2972 wrote to memory of 3016 2972 TOBT66RBMHPKUAF.exe 130 PID 2972 wrote to memory of 3016 2972 TOBT66RBMHPKUAF.exe 130 PID 3016 wrote to memory of 1376 3016 WScript.exe 131 PID 3016 wrote to memory of 1376 3016 WScript.exe 131 PID 3016 wrote to memory of 1376 3016 WScript.exe 131 PID 1376 wrote to memory of 4088 1376 cmd.exe 133 PID 1376 wrote to memory of 4088 1376 cmd.exe 133 PID 328 wrote to memory of 2060 328 XYR269UW2X56RGZ.exe 136 PID 328 wrote to memory of 2060 328 XYR269UW2X56RGZ.exe 136 PID 328 wrote to memory of 4136 328 XYR269UW2X56RGZ.exe 135 PID 328 wrote to memory of 4136 328 XYR269UW2X56RGZ.exe 135 PID 1072 wrote to memory of 4588 1072 XClient.exe 138 PID 1072 wrote to memory of 4588 1072 XClient.exe 138 PID 1072 wrote to memory of 1896 1072 XClient.exe 139 PID 1072 wrote to memory of 1896 1072 XClient.exe 139 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:688
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies Windows Defender Real-time Protection settings
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
- Launches sc.exe
PID:3620
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵PID:1164
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵PID:4152
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
- Launches sc.exe
PID:2432
-
-
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\XYR269UW2X56RGZ.exe"C:\Users\Admin\AppData\Local\Temp\XYR269UW2X56RGZ.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XYR269UW2X56RGZ" /tr "C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1012
-
-
-
C:\Users\Admin\AppData\Local\Temp\LRZDBCUY9IYTYZA.exe"C:\Users\Admin\AppData\Local\Temp\LRZDBCUY9IYTYZA.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\HypercomponentCommon\hyperSurrogateagentCrt.exe"C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0zgyju0l\0zgyju0l.cmdline"6⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E2D.tmp" "c:\Users\Admin\AppData\Roaming\CSCF795A17B2C2B41F3B1AD1B76ECBE216.TMP"7⤵PID:1892
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lly4cse5\lly4cse5.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EC9.tmp" "c:\Windows\System32\CSCA3B127F226C34C09975C583660B9125C.TMP"7⤵PID:4760
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w5I23rwOVM.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:4588
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4916
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\AJLF0KZUL5VL5NH.exe"C:\Users\Admin\AppData\Local\Temp\AJLF0KZUL5VL5NH.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
C:\Users\Admin\AppData\Local\Temp\TOBT66RBMHPKUAF.exe"C:\Users\Admin\AppData\Local\Temp\TOBT66RBMHPKUAF.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\HypercomponentCommon\hyperSurrogateagentCrt.exe"C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
-
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend2⤵
- Launches sc.exe
PID:4588
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"2⤵PID:1896
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller2⤵PID:4400
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start lsass2⤵PID:2392
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "XClientX" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "XClient" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "XClientX" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 8 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 14 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exeC:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
-
C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe"C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exeC:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe1⤵
- Executes dropped EXE
PID:1636 -
C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe"C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220B
MD547085bdd4e3087465355c9bb9bbc6005
SHA1bf0c5b11c20beca45cc9d4298f2a11a16c793a61
SHA25680577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752
SHA512e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684
-
Filesize
105B
MD55ee2935a1949f69f67601f7375b3e8a3
SHA16a3229f18db384e57435bd3308298da56aa8c404
SHA256c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06
SHA5129777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a
-
Filesize
1.9MB
MD57be5cea1c84ad0b2a6d2e5b6292c8d80
SHA1631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce
SHA2566eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7
SHA512ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
226B
MD54ae344179932dc8e2c6fe2079f9753ef
SHA160eacc624412b1f34809780769e3b212f138ea9c
SHA2563063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4
SHA512fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19
-
Filesize
847B
MD52940b232afa412901f8ae5651c790f93
SHA1f79bd5d1433c803515e2d9a016396344187beea2
SHA25616f4a7736a0c2aee54256d3d75ce4c0816fabf130b3b92340deca34c5f5fda43
SHA512553d5491c9bc358c7ce8a95caa445e882ab4bf744a2f5be1b2131c20f27321f65121389fd076558ba415f322fdad6ed36a05902e5c55cbbeace371182890af27
-
Filesize
1KB
MD51126a1de0a15000f1687b171641ffea6
SHA1dcc99b2446d05b8f0f970e3e9105198a20ca9e78
SHA256b886b6c74da838e87b2cbc539ee657a2817d126b55c0cbd6d1ab91480261bcc7
SHA5126cfb73ea43899ffa3cecd354cd76b0a1a67f57d9054c3e31cff43424491ed3bceae5aecd0f5c414ba92aab539eb7d55af3d40eedde80c9af8d34649bb1f8d4b4
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA25621942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA5121a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b
-
Filesize
944B
MD5aa4f31835d07347297d35862c9045f4a
SHA183e728008935d30f98e5480fba4fbccf10cefb05
SHA25699c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629
-
Filesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
Filesize
2.2MB
MD505d87a4a162784fd5256f4118aff32af
SHA1484ed03930ed6a60866b6f909b37ef0d852dbefd
SHA2567e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950
SHA5123d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc
-
Filesize
1KB
MD5966c3c4130576f866b7dda5389008bba
SHA1a03b77bbb0d216e80a7e5d9594952769ba1536df
SHA256237c801cedd0bee5dfa978ba3f672a11745caad48bff317968e721073b46678d
SHA512b21679d3eb3c3d49e07999ba1eac11d8c4c41c1bb71a0db62bf27818c48573f361c8e442cda10ac927a343019d7d0b9210dee565e4728723e948e534ffe0a64f
-
Filesize
1KB
MD5f84b95dedf30aa9cb2c09b97cd74ebc3
SHA154ddbff0c173cb3d7dc83da35b6fa2fa651ec191
SHA256a5180d0d61b692430b18668f7d0e93b245faa3042211eef4cbcf015cd9e35773
SHA5123dd4d0c565b14c85789f4fda17d01d6acc8f6cb368f8be79046c2f93f1deffeed3889ef96f22442f75e4bceae44037f75c1ffbfde129af3ef71312b4d8d2ea81
-
Filesize
185KB
MD5e0c8976957ffdc4fe5555adbe8cb0d0c
SHA1226a764bacfa17b92131993aa85fe63f1dbf347c
SHA256b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4
SHA5123a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
242B
MD551aec62800cff2d4e9e46f61a7b7fa5e
SHA107c58b2368ac4b3778c8e1cd2278dc0329b969a8
SHA256a682bb7e16b003a17835b35dcc158cf0d6ffd23fcd48d113a53ee615f4935a5f
SHA5129044f8533adf481ad3b8b2c0ec64bc82dca056e1f7dd3b57e4ed8a512c2769ba07843f011dba4d0be441438578368fd67926e2b429fbcf1f9833f55b65dbd2ea
-
Filesize
4KB
MD57caba83aa0ef3e8f737463976122f611
SHA1e536b19809aaa465567236a0a087956df70b7de4
SHA2566c71c2773fadc1ab065e8a8d7d9f7ce22f4609aaf56cdc9093933827fd5241e5
SHA512b4823bbdeb09f063b7e43f254bc4f8c493679d014a97b5d32f9526380c8325b75a86f1bdb430d8e195a776c76cda9b8edee068952d7facf7d376dd6b3beb57dd
-
Filesize
410B
MD537f5a9a57874bad23c138af94db88d83
SHA1068393b859ecac7149964811151e65de8197ea09
SHA256a8dfeea710d60fc171b6f10d04daeeafa6ccefa350d5e6c742b5956d7a2d9045
SHA5126dc279942f05b9a2d09fa12b22c9e8b311b2a7fed07195896af4750a186111ab6085a8fe80bda4c512c37b21c6302bdaafd562458b004f75eb6b921944832721
-
Filesize
255B
MD56800d1d4666bb507385da4f61d24e45f
SHA1b7b3b4aee28a397d9b880b6e66396d0f6b699f30
SHA2568e5a092385cb01337ac1607b5765d9ccbb0ee9169f8bd8f63cdc4439f98c22c2
SHA5128fad52d1c1f97c248496f27b3aae5081963a432b6464a9d6ea52b6ab6991738291e06fdb454b9d7f8d70d2b01e80c497e554aecc3645c131c847909c9e402165
-
Filesize
390B
MD51320a555a60d66f718f658ceb7165b5d
SHA1d11a1bd46b0a73830a38129a95f5c5d6595d4613
SHA256565a161d30e7eec2b69d5e96cf82ed289b7917077ceb473baf4311f62f5feb59
SHA5120f440af6ba8b7d57c035a0050236f99b648c331c5d35f35624ac91676bc575e8b2c5379d04d78f0083e04c48b4202985884e0412d74cdb276445b72539948b65
-
Filesize
235B
MD587d2c478967a60821c35447f5a9c72d3
SHA12433b2facfe2154175a0a884a1b10a7890f6517d
SHA256e439b0352ed015c12b66eaf143ca6a90ffa4fb77ee34ecb1f05d6347ba2bab9b
SHA5120b6b04727a0d3fb448db4683a2d484b49a5c3abf013fcd4b73087558a4248233bf4470784c3d60b18e06fddcab6aa1b2aa470e6fd46ec5f0d1017ce9a335db29
-
Filesize
1KB
MD5dfca71d425836f13c24edf5df990b85f
SHA102ca2fdb1821421d9730d252ad4502e65de681b2
SHA2565f61a298aa04433130705593559fcf56e71df59cac700fc6217badbd1efe239d
SHA512c5e87166303f0a48f38b1715caee2fb2d54522210e7f64e08a346a73910b66cb947a9ccbc355939d6a626d017ce408628c5d717436129e0fea1f1c5f2a0b1318
-
Filesize
1KB
MD55312a26d06282ef9ae358ed7609d9bb5
SHA10ba9ce38a2b4bf3de2b3d6f589488caf95e24b55
SHA256c50e76bfb6328f826406d6ee365f7eb2936eb2be622d2dd08b144e1fce606246
SHA5124d3724e6bca4ff31c21d321567f684856ea35133a23de706b1c7f62d40642509d871fc3745739e798b003f832fa7bdc3de11f03da6c88e3507def0fd0047e525