xworm | b79174702d042f1f7fb9ae8edc60262397d736b34751eb1a3bc810c9a8728c46

Analysis

max time kernel
140s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

65KB
MD5

b2b82399ba6e9a1dad5056d76fd7c38c
SHA1

acd51a93c03e6375282c732e46dbba093d004277
SHA256

b79174702d042f1f7fb9ae8edc60262397d736b34751eb1a3bc810c9a8728c46
SHA512

9ba54b085761f397f8a7e0825e1d4bbba63662556bfe7a789f1895849bc6f8477d69953c75984cdac7fe501dc02954c6254943b60989934fa08331711644f75d
SSDEEP

1536:m3/NH4JsOCr53ewg/pFNQLDOeP8Br1+kb1bQ11XyBGqOcgoP7SQ:oNH4+VNg/pFODpgckb1a8BGqOcgaSQ

Score

10^/10

xworm defense_evasion discovery evasion execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

paypal-themselves.gl.at.ply.gg:34855

Attributes

Install_directory
%Userprofile%
install_file
winaudiog.exe

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x00060000000175f1-90.dat	disable_win_def
behavioral1/memory/1620-105-0x00000000020F0000-0x00000000020FE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1620-1-0x0000000000870000-0x0000000000886000-memory.dmp	family_xworm

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	WScript.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2524	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000018745-89.dat	acprotect

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winaudiog.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winaudiog.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FPJMCI.lnk	program startup.exe

Executes dropped EXE 6 IoCs

pid	Process
1436	kpwxbe.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1976	majid z hacker website.exe
1240	program startup.exe
1560	microsoft corporation.exe
2540	microsoft corporation.exe

Loads dropped DLL 9 IoCs

pid	Process
1620	XClient.exe
1436	kpwxbe.exe
1436	kpwxbe.exe
1976	majid z hacker website.exe
1976	majid z hacker website.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1240	program startup.exe
1560	microsoft corporation.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FPJMCI = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\program startup.exe\""	program startup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2516	powershell.exe
2292	powershell.exe
2608	powershell.exe
1568	powershell.exe
2000	powershell.exe
3024	powershell.exe
1696	powershell.exe
2640	powershell.exe
3044	powershell.exe
2864	powershell.exe
928	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ipapi.co
18	ipapi.co

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000016cab-26.dat	autoit_exe
behavioral1/memory/1240-46-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral1/memory/1764-98-0x0000000000810000-0x0000000001E17000-memory.dmp	autoit_exe
behavioral1/memory/1764-110-0x0000000000810000-0x0000000001E17000-memory.dmp	autoit_exe
behavioral1/memory/1764-166-0x0000000000810000-0x0000000001E17000-memory.dmp	autoit_exe
behavioral1/memory/1764-149-0x0000000000810000-0x0000000001E17000-memory.dmp	autoit_exe
behavioral1/memory/1764-138-0x0000000000810000-0x0000000001E17000-memory.dmp	autoit_exe
behavioral1/memory/1240-339-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000174f8-41.dat	upx
behavioral1/memory/1240-46-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/files/0x0006000000018745-89.dat	upx
behavioral1/memory/1764-94-0x0000000010000000-0x00000000100BB000-memory.dmp	upx
behavioral1/memory/1240-339-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/1764-341-0x0000000010000000-0x00000000100BB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	888_RAT_1.0.9 Cracked by Shark M!nd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsoft corporation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsoft corporation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	majid z hacker website.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	program startup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSCript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kpwxbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016ca0-21.dat	nsis_installer_1
behavioral1/files/0x0007000000016ca0-21.dat	nsis_installer_2
behavioral1/files/0x00070000000174b4-24.dat	nsis_installer_1
behavioral1/files/0x00070000000174b4-24.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
2608	powershell.exe
2292	powershell.exe
1696	powershell.exe
2864	powershell.exe
2640	powershell.exe
3044	powershell.exe
1568	powershell.exe
2516	powershell.exe
928	powershell.exe
2000	powershell.exe
3024	powershell.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe
1240	program startup.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1240	program startup.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	XClient.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1560	microsoft corporation.exe
Token: 33	908	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	908	AUDIODG.EXE
Token: 33	908	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	908	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1620	XClient.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1764	888_RAT_1.0.9 Cracked by Shark M!nd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1436	1620	XClient.exe	32
PID 1620 wrote to memory of 1436	1620	XClient.exe	32
PID 1620 wrote to memory of 1436	1620	XClient.exe	32
PID 1620 wrote to memory of 1436	1620	XClient.exe	32
PID 1436 wrote to memory of 1764	1436	kpwxbe.exe	33
PID 1436 wrote to memory of 1764	1436	kpwxbe.exe	33
PID 1436 wrote to memory of 1764	1436	kpwxbe.exe	33
PID 1436 wrote to memory of 1764	1436	kpwxbe.exe	33
PID 1436 wrote to memory of 1976	1436	kpwxbe.exe	34
PID 1436 wrote to memory of 1976	1436	kpwxbe.exe	34
PID 1436 wrote to memory of 1976	1436	kpwxbe.exe	34
PID 1436 wrote to memory of 1976	1436	kpwxbe.exe	34
PID 1976 wrote to memory of 1240	1976	majid z hacker website.exe	35
PID 1976 wrote to memory of 1240	1976	majid z hacker website.exe	35
PID 1976 wrote to memory of 1240	1976	majid z hacker website.exe	35
PID 1976 wrote to memory of 1240	1976	majid z hacker website.exe	35
PID 1976 wrote to memory of 1560	1976	majid z hacker website.exe	36
PID 1976 wrote to memory of 1560	1976	majid z hacker website.exe	36
PID 1976 wrote to memory of 1560	1976	majid z hacker website.exe	36
PID 1976 wrote to memory of 1560	1976	majid z hacker website.exe	36
PID 1976 wrote to memory of 1068	1976	majid z hacker website.exe	37
PID 1976 wrote to memory of 1068	1976	majid z hacker website.exe	37
PID 1976 wrote to memory of 1068	1976	majid z hacker website.exe	37
PID 1976 wrote to memory of 1068	1976	majid z hacker website.exe	37
PID 1068 wrote to memory of 916	1068	WScript.exe	38
PID 1068 wrote to memory of 916	1068	WScript.exe	38
PID 1068 wrote to memory of 916	1068	WScript.exe	38
PID 1068 wrote to memory of 916	1068	WScript.exe	38
PID 916 wrote to memory of 1696	916	WScript.exe	39
PID 916 wrote to memory of 1696	916	WScript.exe	39
PID 916 wrote to memory of 1696	916	WScript.exe	39
PID 916 wrote to memory of 1696	916	WScript.exe	39
PID 916 wrote to memory of 2608	916	WScript.exe	41
PID 916 wrote to memory of 2608	916	WScript.exe	41
PID 916 wrote to memory of 2608	916	WScript.exe	41
PID 916 wrote to memory of 2608	916	WScript.exe	41
PID 916 wrote to memory of 2640	916	WScript.exe	43
PID 916 wrote to memory of 2640	916	WScript.exe	43
PID 916 wrote to memory of 2640	916	WScript.exe	43
PID 916 wrote to memory of 2640	916	WScript.exe	43
PID 916 wrote to memory of 2292	916	WScript.exe	45
PID 916 wrote to memory of 2292	916	WScript.exe	45
PID 916 wrote to memory of 2292	916	WScript.exe	45
PID 916 wrote to memory of 2292	916	WScript.exe	45
PID 916 wrote to memory of 2516	916	WScript.exe	47
PID 916 wrote to memory of 2516	916	WScript.exe	47
PID 916 wrote to memory of 2516	916	WScript.exe	47
PID 916 wrote to memory of 2516	916	WScript.exe	47
PID 916 wrote to memory of 928	916	WScript.exe	50
PID 916 wrote to memory of 928	916	WScript.exe	50
PID 916 wrote to memory of 928	916	WScript.exe	50
PID 916 wrote to memory of 928	916	WScript.exe	50
PID 916 wrote to memory of 2864	916	WScript.exe	51
PID 916 wrote to memory of 2864	916	WScript.exe	51
PID 916 wrote to memory of 2864	916	WScript.exe	51
PID 916 wrote to memory of 2864	916	WScript.exe	51
PID 916 wrote to memory of 3024	916	WScript.exe	54
PID 916 wrote to memory of 3024	916	WScript.exe	54
PID 916 wrote to memory of 3024	916	WScript.exe	54
PID 916 wrote to memory of 3024	916	WScript.exe	54
PID 916 wrote to memory of 3044	916	WScript.exe	55
PID 916 wrote to memory of 3044	916	WScript.exe	55
PID 916 wrote to memory of 3044	916	WScript.exe	55
PID 916 wrote to memory of 3044	916	WScript.exe	55

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\kpwxbe.exe
  "C:\Users\Admin\AppData\Local\Temp\kpwxbe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\888_RAT_1.0.9 Cracked by Shark M!nd.exe
    "C:\Users\Admin\AppData\Local\Temp\888_RAT_1.0.9 Cracked by Shark M!nd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\majid z hacker website.exe
    "C:\Users\Admin\AppData\Local\Temp\majid z hacker website.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\program startup.exe
      "C:\Users\Admin\AppData\Local\Temp\program startup.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      PID:1240
    - - C:\Windows\SysWOW64\WSCript.exe
        
        WSCript C:\Users\Admin\AppData\Local\Temp\FPJMCI.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe
      "C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1560
    - - C:\ProgramData\microsoft corporation.exe
        
        "C:\ProgramData\microsoft corporation.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2540
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\microsoft corporation.exe" "microsoft corporation.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:2524
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate
        5⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  PID:1692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FPJMCI.vbs

Filesize
850B

MD5
6cd1e52fee0feec8ac4be7a1ec19eb0a

SHA1
45faaeea51c1a75cdca982d4ef0b0c2c266afe26

SHA256
5bee13a4b988a73518c23f9c6ff5a088e903769bac1fb5561c1e7ba0396716d5

SHA512
40ef44e566f63564c0e688b791c224c789668bf2d9d29dbd54acb3a1d4a183d7ae73c4bd138aa5be9e1494af82fcf148b0ac2cc3e5a1425625ef79bade5b5a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpwxbe.exe

Filesize
22.0MB

MD5
54c6dc01ba6c748106085665ff8ad61b

SHA1
f75d970df21d277d39656aeff50752d415b47c6e

SHA256
27e3e3350715b83a2a3059c008517e1e97b2531557aaefd3b4cee38f62039b1c

SHA512
9b5498b40de25dc788a728979518e3b6edcc1f0a0444f96bb19c68f91036b552b248d78b5f783ee5247eb7f7bb1272b4e4edf3f2c6650674c16b72593eec7f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\majid z hacker website.exe

Filesize
417KB

MD5
24995d61ddcd09aca3877ee88552d57c

SHA1
cf3bba8be96058daff0eba22c3e17510fabd458d

SHA256
34ddd8dafe9e6fabe4cac3428ce0f9b1d51183ecd3d70aa4d483086ee64a514f

SHA512
3de2434f9c75634921165daec270ffc6c4d9c14ff89328213f245d1b042ed4329b1817001c3eb27cd586bd86c2513585b9b516d2322c92e7b6f74a40e3b3d7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\script.vbs

Filesize
1KB

MD5
77a4da4863ffcaba51ce05d3c632158d

SHA1
253f9a594a6ca3a7a23acb90f8dc81939215ba4b

SHA256
ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f

SHA512
ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.dll

Filesize
239KB

MD5
bc8a6f4d28474d90a687ed00a9b5b60f

SHA1
c8a4c0816e2fc3d728f1a715ac6190b66f027e3a

SHA256
b78c160c882d08f98bc209dd2722b4f01290dd46a19e0be70d21473dae1c8ff2

SHA512
b90c9bcbfb08b1d63cd6066869896bbb13cfef15a6f30483e31868aca5b3c29150e71984ba3d07ba91da81d47a9d2dd29917851ec5bb04f8f463df113502078f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LSW3YH8HF24M8X18Z4LC.temp

Filesize
7KB

MD5
254f7d968eeb3a375a9e8333ef20d535

SHA1
c423904126fa35276e7d972c693210ff37a5225d

SHA256
52873b9163b18915cb22532edaf2b6315ff9c760080842e471939718455ce071

SHA512
c01ec01730c5e02effaca651bea274af49554b20a5754501d9e89385e99ed7e8d9a812d746901ed77809efcbc505cc1e0f37e595daa0594d98cfda982fc345a6

Download Submit
\Users\Admin\AppData\Local\Temp\888_RAT_1.0.9 Cracked by Shark M!nd.exe

Filesize
22.0MB

MD5
32004e656640aad1672f0ee98434bc3c

SHA1
d665b4e03e9d75f87079d65cff791147b7ee6e4f

SHA256
beb837e8832f27dacfd3719cf617310f1b9e74badbfca8705ecafce3ed5e6a33

SHA512
1cd55008d6352469a937f168d6d72cfd202d81c24a6be4c6256a4c73c576577aefe8da912c5cb09e12f12a58e46f99381fa9834b58bc356e0c530908b236785f

Download Submit
\Users\Admin\AppData\Local\Temp\microsoft corporation.exe

Filesize
33KB

MD5
23fb3146d1455b890afdbd9511b48351

SHA1
9e0118366167c76de2d88fb354606d5e58677eb7

SHA256
58c8e3599d16762dfc51decf16c3d014cd8c8dd1aab59a0acff5372c5182bda7

SHA512
92a816b16f854cb19a28a9bd186223dd3f7961800b6486b32be1f270b26a0240c0f68ebe0f6c555b72f0e3388f3aa1a061fad50c0b09aaec1af9de1185fc8cf4

Download Submit
\Users\Admin\AppData\Local\Temp\program startup.exe

Filesize
356KB

MD5
4caacd7358ca6be0197a8d7dd73f1347

SHA1
b0a0c0f64cfb9db363e423f1f2a72312c7d551fb

SHA256
ddfaaf02cbb33b9bbc9117dcdea0da555f4a6bf1d852e7e121bf9930cc2e4404

SHA512
84b19e735896baa67d996e91a7144092944147eb6949d887308519699ceec481f0ed16c766103ba62e90a679c397bb0f0e0ec7f45fab554d89cc54f373fd801f

Download Submit
\Users\Admin\AppData\Local\Temp\skin.888ww.msstyles

Filesize
3.3MB

MD5
ea5d5266b8a7bcc8788c83ebb7c8c7d5

SHA1
3e9ac1ab7d5d54db9b3d141e82916513e572b415

SHA256
91ac4d215b8d90aef9a000900c9088d4c33d58c5f35a720a385a3f2d2299e5d1

SHA512
404b35fca478a1f489ec1af7be1df897190d7deb0cd8139c2c89d68c24fa377d904cf0c5e30c09ab448d74d87a47aaa3a872bf66a9bc9c124f52798320d34e60

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8739.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/1240-46-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1240-339-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1240-329-0x0000000004070000-0x0000000004080000-memory.dmp

Filesize
64KB

Download
memory/1240-345-0x0000000004070000-0x0000000004080000-memory.dmp

Filesize
64KB

Download
memory/1620-1-0x0000000000870000-0x0000000000886000-memory.dmp

Filesize
88KB

Download
memory/1620-16-0x000000001B780000-0x000000001B7EA000-memory.dmp

Filesize
424KB

Download
memory/1620-11-0x000000001B640000-0x000000001B67A000-memory.dmp

Filesize
232KB

Download
memory/1620-9-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/1620-338-0x000000001B800000-0x000000001B88E000-memory.dmp

Filesize
568KB

Download
memory/1620-8-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-7-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

Filesize
4KB

Download
memory/1620-6-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-105-0x00000000020F0000-0x00000000020FE000-memory.dmp

Filesize
56KB

Download
memory/1620-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

Filesize
4KB

Download
memory/1764-140-0x0000000074340000-0x0000000074372000-memory.dmp

Filesize
200KB

Download
memory/1764-157-0x0000000075CB0000-0x0000000075EC5000-memory.dmp

Filesize
2.1MB

Download
memory/1764-109-0x0000000073AA0000-0x0000000073AF1000-memory.dmp

Filesize
324KB

Download
memory/1764-106-0x0000000075ED0000-0x000000007602C000-memory.dmp

Filesize
1.4MB

Download
memory/1764-112-0x0000000074340000-0x0000000074372000-memory.dmp

Filesize
200KB

Download
memory/1764-113-0x0000000076960000-0x0000000076A00000-memory.dmp

Filesize
640KB

Download
memory/1764-110-0x0000000000810000-0x0000000001E17000-memory.dmp

Filesize
22.0MB

Download
memory/1764-111-0x0000000074860000-0x0000000074869000-memory.dmp

Filesize
36KB

Download
memory/1764-108-0x00000000767E0000-0x000000007680A000-memory.dmp

Filesize
168KB

Download
memory/1764-107-0x0000000075C00000-0x0000000075C8F000-memory.dmp

Filesize
572KB

Download
memory/1764-116-0x0000000075CB0000-0x0000000075EC5000-memory.dmp

Filesize
2.1MB

Download
memory/1764-115-0x0000000076A50000-0x0000000076AA7000-memory.dmp

Filesize
348KB

Download
memory/1764-114-0x0000000074500000-0x000000007469E000-memory.dmp

Filesize
1.6MB

Download
memory/1764-118-0x0000000075B80000-0x0000000075BFB000-memory.dmp

Filesize
492KB

Download
memory/1764-121-0x0000000075C00000-0x0000000075C8F000-memory.dmp

Filesize
572KB

Download
memory/1764-120-0x0000000075ED0000-0x000000007602C000-memory.dmp

Filesize
1.4MB

Download
memory/1764-119-0x0000000074B00000-0x000000007574A000-memory.dmp

Filesize
12.3MB

Download
memory/1764-123-0x00000000766A0000-0x000000007676C000-memory.dmp

Filesize
816KB

Download
memory/1764-128-0x0000000074500000-0x000000007469E000-memory.dmp

Filesize
1.6MB

Download
memory/1764-141-0x0000000076960000-0x0000000076A00000-memory.dmp

Filesize
640KB

Download
memory/1764-103-0x0000000075CB0000-0x0000000075EC5000-memory.dmp

Filesize
2.1MB

Download
memory/1764-139-0x0000000074860000-0x0000000074869000-memory.dmp

Filesize
36KB

Download
memory/1764-152-0x0000000075AA0000-0x0000000075B3D000-memory.dmp

Filesize
628KB

Download
memory/1764-153-0x0000000076960000-0x0000000076A00000-memory.dmp

Filesize
640KB

Download
memory/1764-151-0x0000000074340000-0x0000000074372000-memory.dmp

Filesize
200KB

Download
memory/1764-150-0x0000000074860000-0x0000000074869000-memory.dmp

Filesize
36KB

Download
memory/1764-168-0x0000000074500000-0x000000007469E000-memory.dmp

Filesize
1.6MB

Download
memory/1764-167-0x0000000074340000-0x0000000074372000-memory.dmp

Filesize
200KB

Download
memory/1764-124-0x0000000073AA0000-0x0000000073AF1000-memory.dmp

Filesize
324KB

Download
memory/1764-126-0x0000000075AA0000-0x0000000075B3D000-memory.dmp

Filesize
628KB

Download
memory/1764-127-0x0000000076960000-0x0000000076A00000-memory.dmp

Filesize
640KB

Download
memory/1764-125-0x0000000074340000-0x0000000074372000-memory.dmp

Filesize
200KB

Download
memory/1764-131-0x0000000075CB0000-0x0000000075EC5000-memory.dmp

Filesize
2.1MB

Download
memory/1764-104-0x0000000074B00000-0x000000007574A000-memory.dmp

Filesize
12.3MB

Download
memory/1764-166-0x0000000000810000-0x0000000001E17000-memory.dmp

Filesize
22.0MB

Download
memory/1764-165-0x0000000076A50000-0x0000000076AA7000-memory.dmp

Filesize
348KB

Download
memory/1764-164-0x0000000073AA0000-0x0000000073AF1000-memory.dmp

Filesize
324KB

Download
memory/1764-163-0x0000000073B80000-0x0000000073B93000-memory.dmp

Filesize
76KB

Download
memory/1764-101-0x0000000076960000-0x0000000076A00000-memory.dmp

Filesize
640KB

Download
memory/1764-102-0x0000000076A50000-0x0000000076AA7000-memory.dmp

Filesize
348KB

Download
memory/1764-162-0x00000000766A0000-0x000000007676C000-memory.dmp

Filesize
816KB

Download
memory/1764-160-0x0000000075C00000-0x0000000075C8F000-memory.dmp

Filesize
572KB

Download
memory/1764-159-0x0000000075B80000-0x0000000075BFB000-memory.dmp

Filesize
492KB

Download
memory/1764-156-0x00000000743E0000-0x00000000743F2000-memory.dmp

Filesize
72KB

Download
memory/1764-155-0x0000000076A50000-0x0000000076AA7000-memory.dmp

Filesize
348KB

Download
memory/1764-154-0x0000000074500000-0x000000007469E000-memory.dmp

Filesize
1.6MB

Download
memory/1764-149-0x0000000000810000-0x0000000001E17000-memory.dmp

Filesize
22.0MB

Download
memory/1764-148-0x0000000073AA0000-0x0000000073AF1000-memory.dmp

Filesize
324KB

Download
memory/1764-147-0x00000000766A0000-0x000000007676C000-memory.dmp

Filesize
816KB

Download
memory/1764-145-0x0000000075CB0000-0x0000000075EC5000-memory.dmp

Filesize
2.1MB

Download
memory/1764-144-0x00000000743E0000-0x00000000743F2000-memory.dmp

Filesize
72KB

Download
memory/1764-143-0x0000000076A50000-0x0000000076AA7000-memory.dmp

Filesize
348KB

Download
memory/1764-142-0x0000000074500000-0x000000007469E000-memory.dmp

Filesize
1.6MB

Download
memory/1764-138-0x0000000000810000-0x0000000001E17000-memory.dmp

Filesize
22.0MB

Download
memory/1764-137-0x0000000073AA0000-0x0000000073AF1000-memory.dmp

Filesize
324KB

Download
memory/1764-136-0x0000000073B80000-0x0000000073B93000-memory.dmp

Filesize
76KB

Download
memory/1764-135-0x00000000766A0000-0x000000007676C000-memory.dmp

Filesize
816KB

Download
memory/1764-134-0x0000000075C00000-0x0000000075C8F000-memory.dmp

Filesize
572KB

Download
memory/1764-133-0x0000000075B80000-0x0000000075BFB000-memory.dmp

Filesize
492KB

Download
memory/1764-130-0x00000000743E0000-0x00000000743F2000-memory.dmp

Filesize
72KB

Download
memory/1764-129-0x0000000076A50000-0x0000000076AA7000-memory.dmp

Filesize
348KB

Download
memory/1764-100-0x0000000075AA0000-0x0000000075B3D000-memory.dmp

Filesize
628KB

Download
memory/1764-99-0x0000000074340000-0x0000000074372000-memory.dmp

Filesize
200KB

Download
memory/1764-98-0x0000000000810000-0x0000000001E17000-memory.dmp

Filesize
22.0MB

Download
memory/1764-94-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download
memory/1764-341-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download
memory/1976-44-0x0000000002D20000-0x0000000002DEA000-memory.dmp

Filesize
808KB

Download