xworm | d0b344845672d414f7041eabc40b0c0976749cd815ec1d1862e1e038a40c0dbe

Analysis

max time kernel
114s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader_prod.exe
Size

28.0MB
MD5

d244b2e378b22823e7b953f4fddd0b70
SHA1

5bbdb1e4fa0a755164de0f969089324160252d83
SHA256

d0b344845672d414f7041eabc40b0c0976749cd815ec1d1862e1e038a40c0dbe
SHA512

5b17e1b13ea8f0b112cdb0bc246478ebb4040fe3371ef135ab44854a2b4558754fca3814aced057b2b77eb4058dcd39862e0a509a4cec76f771e101ead22b6de
SSDEEP

3072:51KuNrpH21CHLt9GMCbHlPXAhEU3xZ6vvPs8:51hX21uLXd2SmKbcvP

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

trip-thesaurus.gl.at.ply.gg:16715

rates-sir.gl.at.ply.gg:9099

Attributes

Install_directory
%AppData%
install_file
SecurityHealthSystray.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b53-4.dat	family_xworm
behavioral1/memory/628-12-0x0000000000170000-0x000000000018C000-memory.dmp	family_xworm
behavioral1/files/0x000a000000023b7d-140.dat	family_xworm
behavioral1/memory/4428-147-0x0000000000E50000-0x0000000000EAC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1444	powershell.exe
4220	powershell.exe
4492	powershell.exe
4784	powershell.exe
3604	powershell.exe
4456	powershell.exe
2904	powershell.exe
1116	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	loader_prod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Woofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	nqcwwk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Steam.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	Woofer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	Woofer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	Steam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	Steam.exe

Executes dropped EXE 7 IoCs

pid	Process
628	Woofer.exe
4812	nqcwwk.exe
4428	Steam.exe
1120	Steam.exe
5112	SecurityHealthSystray.exe
4740	Steam.exe
2172	SecurityHealthSystray.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthSystray.exe"	Woofer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\Steam.exe"	Steam.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nqcwwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader_prod.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3852	schtasks.exe
1608	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
628	Woofer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1680	powershell.exe
1680	powershell.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
4492	powershell.exe
4492	powershell.exe
4784	powershell.exe
4784	powershell.exe
1496	taskmgr.exe
3604	powershell.exe
3604	powershell.exe
4456	powershell.exe
4456	powershell.exe
1496	taskmgr.exe
628	Woofer.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1552	powershell.exe
1552	powershell.exe
1496	taskmgr.exe
1496	taskmgr.exe
2904	powershell.exe
2904	powershell.exe
1116	powershell.exe
1116	powershell.exe
1444	powershell.exe
1444	powershell.exe
4220	powershell.exe
4220	powershell.exe
4428	Steam.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1904	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	Woofer.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1496	taskmgr.exe
Token: SeSystemProfilePrivilege	1496	taskmgr.exe
Token: SeCreateGlobalPrivilege	1496	taskmgr.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	628	Woofer.exe
Token: SeDebugPrivilege	4428	Steam.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: 33	1496	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1496	taskmgr.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4428	Steam.exe
Token: SeDebugPrivilege	1904	taskmgr.exe
Token: SeSystemProfilePrivilege	1904	taskmgr.exe
Token: SeCreateGlobalPrivilege	1904	taskmgr.exe
Token: SeDebugPrivilege	1120	Steam.exe
Token: SeDebugPrivilege	5112	SecurityHealthSystray.exe
Token: SeDebugPrivilege	4740	Steam.exe
Token: SeDebugPrivilege	2172	SecurityHealthSystray.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1496	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe
1904	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
628	Woofer.exe
4428	Steam.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1680	2360	loader_prod.exe	83
PID 2360 wrote to memory of 1680	2360	loader_prod.exe	83
PID 2360 wrote to memory of 1680	2360	loader_prod.exe	83
PID 2360 wrote to memory of 628	2360	loader_prod.exe	85
PID 2360 wrote to memory of 628	2360	loader_prod.exe	85
PID 628 wrote to memory of 4492	628	Woofer.exe	88
PID 628 wrote to memory of 4492	628	Woofer.exe	88
PID 628 wrote to memory of 4784	628	Woofer.exe	90
PID 628 wrote to memory of 4784	628	Woofer.exe	90
PID 628 wrote to memory of 3604	628	Woofer.exe	92
PID 628 wrote to memory of 3604	628	Woofer.exe	92
PID 628 wrote to memory of 4456	628	Woofer.exe	94
PID 628 wrote to memory of 4456	628	Woofer.exe	94
PID 628 wrote to memory of 3852	628	Woofer.exe	98
PID 628 wrote to memory of 3852	628	Woofer.exe	98
PID 628 wrote to memory of 4812	628	Woofer.exe	104
PID 628 wrote to memory of 4812	628	Woofer.exe	104
PID 628 wrote to memory of 4812	628	Woofer.exe	104
PID 4812 wrote to memory of 1552	4812	nqcwwk.exe	105
PID 4812 wrote to memory of 1552	4812	nqcwwk.exe	105
PID 4812 wrote to memory of 1552	4812	nqcwwk.exe	105
PID 4812 wrote to memory of 4428	4812	nqcwwk.exe	107
PID 4812 wrote to memory of 4428	4812	nqcwwk.exe	107
PID 4428 wrote to memory of 2904	4428	Steam.exe	109
PID 4428 wrote to memory of 2904	4428	Steam.exe	109
PID 4428 wrote to memory of 1116	4428	Steam.exe	111
PID 4428 wrote to memory of 1116	4428	Steam.exe	111
PID 4428 wrote to memory of 1444	4428	Steam.exe	113
PID 4428 wrote to memory of 1444	4428	Steam.exe	113
PID 4428 wrote to memory of 4220	4428	Steam.exe	115
PID 4428 wrote to memory of 4220	4428	Steam.exe	115
PID 4428 wrote to memory of 1608	4428	Steam.exe	117
PID 4428 wrote to memory of 1608	4428	Steam.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\loader_prod.exe
"C:\Users\Admin\AppData\Local\Temp\loader_prod.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYgBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAawBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAdQBnACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Users\Admin\AppData\Roaming\Woofer.exe
  "C:\Users\Admin\AppData\Roaming\Woofer.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Woofer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Woofer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4456
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3852
- - C:\Users\Admin\AppData\Local\Temp\nqcwwk.exe
    "C:\Users\Admin\AppData\Local\Temp\nqcwwk.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbABwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAegBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAbgBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAbgBnACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1552
  - - C:\Users\Admin\AppData\Roaming\Steam.exe
      "C:\Users\Admin\AppData\Roaming\Steam.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Steam.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Steam.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\Users\Admin\AppData\Roaming\Steam.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1608

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1496

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904

C:\Users\Admin\AppData\Roaming\Steam.exe
C:\Users\Admin\AppData\Roaming\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Users\Admin\AppData\Roaming\Steam.exe
C:\Users\Admin\AppData\Roaming\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Steam.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0e7bfb4681451cccec5c17f2dda3bf6

SHA1
aadbce96e0694253d4acbf7232311abea5ce2e6b

SHA256
e864e1be368f08926997c9d5a271f45f7a7796f01fc79977eb19539c80f3b7ae

SHA512
6277098c0a3dbe8759ffe480a6f70dff4ac09d7b599847b25a8105f8d96c868157a6688fd160cca40282bb4b1649914063a8187efab291f98d576f33372cbbb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b41fd425f5a13d1c0b5271eb06635d81

SHA1
0c3b4324459f49967c2c3805c26870b5c977ef62

SHA256
b272ac902882fcdfb41b192c2cea75cef848446084d92cbc33d8e95096b43d8d

SHA512
28b6a5aa4d34757b4a9b9c212229bc9252de9e6847232cb491ec7813a522caf9c73f44f4fe88dcefc54753034325c7a46d2e814bf636ec2938bb5986d481346b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a6685e02d4224799097fe9c6627fb607

SHA1
ec2d18e25513a559eed359a82c0d99e81ff41d54

SHA256
a5090285f71bb4d53010b60b446726b9257b54271c6f2e7d708ec78e335e15a9

SHA512
5e3111b2bcd3020d00d793ae3df269737ac3648d6374e18629860c455a023700f53effbc31bd3d6b5f359811de0f51a38eda248e5fd652675e6337b18cf2969e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
51cf8df21f531e31f7740b4ec487a48a

SHA1
40c6a73b22d71625a62df109aefc92a5f9b9d13e

SHA256
263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

SHA512
57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ef283eb32d269bab8672f1c57c371c4c

SHA1
a87f6904cd3ef6fd5a65688c1681222c07af8a2e

SHA256
fe0f0818b7c36c9906073e100d841e82a0a8bffb83b344e11f2b01b82a0fe75e

SHA512
62b7333ae3478853ec990deab9e363d4ab1f1319dad5293bf9dfcc03e3e827fe282ec6a6e214cbdb442f3f2800264e74e9e8e12170a81fcdad76b34333b576e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zy0255eg.eoo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqcwwk.exe

Filesize
351KB

MD5
bdf4babc0504339255ab25c4550e373a

SHA1
08f6c30ea97cff716acce362c8c3b2629ec7d08c

SHA256
b86413527bbc9f5ba6240402aba7cd6d0413bc9ee7db1f02ec18426f18c60044

SHA512
97c058c8873b2146c91a3f3a21b653e70b001277203222f5ead6f142134b66e2be4a79ee87c9adf57b2fad56e2c354ece62115d36dd0e7f3e17cf459751c4178

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk

Filesize
843B

MD5
6092e9d9c1529d549700223aac16cdd2

SHA1
d863a7c88bac74037756759c9de62c9da78bca9d

SHA256
b633bf50fa4e1d045691d72096e51381eeb9e8832ea7a116579418c1c4a2ca88

SHA512
6d21e783779f08f94be8ec2268c559d152eff88eaecf7cfc49fdc6122df8a5d8c5e4034e95a4061b07e83cacf58fdf6c0004ffed1baa3f9e0249fd5677cf7c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk

Filesize
759B

MD5
106a940147c5cbb18fef53824d11805c

SHA1
0ead61ed4d54d037055aef2e5513c27c3d700044

SHA256
739f8216a79f5a58ae158874b98b33a389126a19dfd6461613b688906dc1c749

SHA512
1361b9be7322b79b38f3c32d7b069b186b33e1ad8363a08a49e99f5f05cb567e2a66ccf7ffa46ae41f3c0c92e79284e653f699bbcb6885b0b78564974cd99653

Download Submit
C:\Users\Admin\AppData\Roaming\Steam.exe

Filesize
345KB

MD5
c8764c93e9cabbfaaa906f24e7b28cc1

SHA1
85b7f5c6e024d3f200abbaeca6d0db8b4dd276a2

SHA256
4e62e196ae6de4b1044188055a007c3f78eb878e791f9ede759e2c118a508948

SHA512
cce91c62fbcf54e04e1945511f9e84c6df3412ec4592f525e93db774e4106930930eb12c83e24d6c4d8c37a317c4ac4e276e18599d3a7a456e76d2fc127e9070

Download Submit
C:\Users\Admin\AppData\Roaming\Woofer.exe

Filesize
84KB

MD5
401884996ecf50f3c44e4bc55e228b3c

SHA1
8eec44a33a180a8ea816f1d07d40c396dfa243d0

SHA256
602eb973f30d7c9533eb827f3731b057e17271bcc7617c1526c9909b71baa683

SHA512
ea8b57b10ad3c569e2456c0cfedaada977db6f8dd768e15800e3af535b68299e66e3f77df613ee3a30a8bcd68a8deff315f5531ac6a40135de0a0126a28e6d08

Download Submit
memory/628-124-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/628-12-0x0000000000170000-0x000000000018C000-memory.dmp

Filesize
112KB

Download
memory/628-11-0x00007FFDF20F3000-0x00007FFDF20F5000-memory.dmp

Filesize
8KB

Download
memory/628-63-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/1496-53-0x00000175366B0000-0x00000175366B1000-memory.dmp

Filesize
4KB

Download
memory/1496-59-0x00000175366B0000-0x00000175366B1000-memory.dmp

Filesize
4KB

Download
memory/1496-55-0x00000175366B0000-0x00000175366B1000-memory.dmp

Filesize
4KB

Download
memory/1496-54-0x00000175366B0000-0x00000175366B1000-memory.dmp

Filesize
4KB

Download
memory/1496-57-0x00000175366B0000-0x00000175366B1000-memory.dmp

Filesize
4KB

Download
memory/1496-49-0x00000175366B0000-0x00000175366B1000-memory.dmp

Filesize
4KB

Download
memory/1496-58-0x00000175366B0000-0x00000175366B1000-memory.dmp

Filesize
4KB

Download
memory/1496-48-0x00000175366B0000-0x00000175366B1000-memory.dmp

Filesize
4KB

Download
memory/1496-56-0x00000175366B0000-0x00000175366B1000-memory.dmp

Filesize
4KB

Download
memory/1496-47-0x00000175366B0000-0x00000175366B1000-memory.dmp

Filesize
4KB

Download
memory/1552-160-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/1552-158-0x0000000005610000-0x0000000005964000-memory.dmp

Filesize
3.3MB

Download
memory/1680-65-0x0000000007890000-0x00000000078A4000-memory.dmp

Filesize
80KB

Download
memory/1680-19-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/1680-13-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/1680-67-0x00000000078C0000-0x00000000078C8000-memory.dmp

Filesize
32KB

Download
memory/1680-66-0x0000000007970000-0x000000000798A000-memory.dmp

Filesize
104KB

Download
memory/1680-64-0x0000000007880000-0x000000000788E000-memory.dmp

Filesize
56KB

Download
memory/1680-62-0x0000000007840000-0x0000000007851000-memory.dmp

Filesize
68KB

Download
memory/1680-46-0x0000000007640000-0x000000000765A000-memory.dmp

Filesize
104KB

Download
memory/1680-45-0x0000000007C80000-0x00000000082FA000-memory.dmp

Filesize
6.5MB

Download
memory/1680-44-0x0000000007500000-0x00000000075A3000-memory.dmp

Filesize
652KB

Download
memory/1680-43-0x00000000074D0000-0x00000000074EE000-memory.dmp

Filesize
120KB

Download
memory/1680-33-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/1680-32-0x00000000068E0000-0x0000000006912000-memory.dmp

Filesize
200KB

Download
memory/1680-14-0x0000000004D90000-0x0000000004DC6000-memory.dmp

Filesize
216KB

Download
memory/1680-61-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/1680-31-0x0000000006340000-0x000000000638C000-memory.dmp

Filesize
304KB

Download
memory/1680-60-0x00000000076B0000-0x00000000076BA000-memory.dmp

Filesize
40KB

Download
memory/1680-30-0x0000000006300000-0x000000000631E000-memory.dmp

Filesize
120KB

Download
memory/1680-29-0x0000000005D00000-0x0000000006054000-memory.dmp

Filesize
3.3MB

Download
memory/1680-70-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1680-18-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/1680-17-0x0000000005340000-0x0000000005362000-memory.dmp

Filesize
136KB

Download
memory/1680-16-0x0000000005400000-0x0000000005A28000-memory.dmp

Filesize
6.2MB

Download
memory/1680-15-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-147-0x0000000000E50000-0x0000000000EAC000-memory.dmp

Filesize
368KB

Download
memory/4492-71-0x0000023953EC0000-0x0000023953EE2000-memory.dmp

Filesize
136KB

Download